The Cybersecurity Double Standard

We often see a double-standard that puzzles us. To us,  finance and cybersecurity are both critical functions requiring management oversight. But in the wild, we often see a big difference in how they are treated by management.

When we ask senior managers about cybersecurity we often get a rather shockingly low level of interest: "I don't really know what my CISO does all day; I am not a programmer. I can't read an Incident Report. I know that whatever they do is working because our systems are still up and running."

Imagine a CEO being comfortable making the equivalent statements about their CFO: "I don't really know what my CFO does all day; I am not an accountant. I can't read a financial statement. I know that whatever they are doing is working because my paycheck clears every month."

That second CEO, the one who cannot be bothered to think about finance, would not keep their job for very long, assuming that such a person could ever get the job in the first place.

This double standard seems so strange to me that I asked a seasoned investor I know for his take and his take was delightfully unadorned: "We all have MBAs." I know what he means, that some basic financial background is almost required for a senior executive or investor and if you do not come out of the finance world then you have to learn about the finance world pretty darn quick or you don't get promoted.

The frustrating part is the cybersecurity and finance are rather similar in very basic ways. If you can grasp the basics of one, you can grasp the basics of the other. Both have controls which are used to keep bad things from happening. Both have reporting requirements to ensure the effectiveness of the controls. Both assume that people sometimes behave badly and so bad behavior has to be prevented and discouraged. Both understand that not ALL people are evil and that having controls is not in anyway insulting to the people who have to work within those controls.

Time is money. Money is money. Productivity is money. Uptime is money. Cybersecurity is ultimately about money, not technology.

You learned how to read a Profit-and-Loss statement, which is a model of compact and clear information presentation. You can figured out the cybersecurity P&L if you try. You can work with the IT security folks to get management reports which are easy enough for the IT folks to produce and easy enough for the management folks to comprehend. Pythia Cyber can help facilitate those conversations because we recognize that cybersecurity has both a leadership and an interpresonal component.

Oversight is a management function. You oversee Sales and Marketing, HR, Operations, Finance--every aspect of the organization. Except cybersecurity. How does that make good business sense?