What Cybersecurity Chiefs Can Learn from Warren Buffet

What Cybersecurity Chiefs Can Learn from Warren Buffet

Over the past five years, I have met with hundreds of chief information security officers (CISOs) from Fortune 500s, small businesses and government agencies. The stakes involved in protecting our data, our privacy and our national security have never been higher, yet security professionals are stymied in developing new methods and pedagogy to deal with the brisk pace of risk and change. While there are many cybersecurity protection frameworks such as NIST or industry-specific compliance regimes such as PCIor HITRUST, the accepted wisdom of the past few decades are crumbling under the new and increasingly difficult challenges of cybersecurity.

So where does an IT security professional turn to for advice? How about Warren Buffett? Buffet is one of the best investment and business thinkers of our time. What most security leaders don’t know is that his approach to protecting his own investments (and the following advice he's believed to have dispensed on the subject) applies equally to their rising challenges.

'What we learn from history is that people do not learn from history.'

One of the greatest insights our interactions with IT security leaders has shown is that despite the increasingly perilous threat landscape — as measured by the increasing number of breaches and material damage caused — most security teams are doubling down on failing technologies and management practices that worked well in one era but are ineffective today. This year alone, companies will invest $86.4 billion in technology designed to protect their data, up from half that number less than five years ago. Based on the headlines of the day, how well are these investments working?

Advice for CISOs: Evaluate your technology portfolios much like Buffet evaluated his many investments, creating biannual or annual performance reviews of those investments to inform how to move forward. Create an investment framework that measures the yield of investments in your people, processes and technologies. Metrics could include reductions in incidents, speed of application deployment, cost reductions in overall IT spending, time to compliance or customer acceptance.

'Risk comes from not knowing what you're doing.'

Many CISOs today are terrified about “flying blind,” having an inability to spot malware on their organization’s devices — from PCs and smartphones to the servers in the data center or public cloud applications. Moreover, the security data they do collect is often swamped by “false positives,” wild goose chases based on the thousands of false alerts they receive and process daily. Most organizations lack a basic understanding of how applications work, how they communicate over networks and which parts of their computing environment are open to bad actors.

Advice to CISOs: Assume you will never create a perfect security program capable of fending off all external threats. Focus on building a full mapping of how your applications, users and networks communicate to understand your attack surface and points of greatest vulnerability. Modern battles are fought on intelligence as much as firepower.

'I don't look to jump over seven-foot bars; I look around for one-foot bars that I can step over.'

Some of the most essential requirements to reduce the risk and spread of hacks include three basic, yet neglected, practices:

• Patching old operating systems and applications with the latest software.

• Applying multifactor authentication to your corporate networks, systems and applications.

• Segmenting high-value assets from lower-value assets.

And why do CISOs avoid these three seemingly straightforward tasks? Because they create inconvenience.

Yet these “simple” security techniques are the cyber equivalent of “bonds,” where the benefits are easily understood and consistent. While many of the newest cybersecurity technologies are important, just like derivatives and synthetic instruments in the stock market, they are difficult to understand and make, require a Ph.D. to operate and may not yield any great returns.

Advice to CISOs: Get the basics right on your devices and in your data center and public cloud deployments. Make sure your portfolio has the right balance of solid and speculative investment instruments.

'Berkshire, like most corporations, nets considerably more from a dollar of dividends than it reaps from a dollar of capital gains.'

One definition of a dividend is a bonus or reward. Rather than look for additional dividends from existing technology and people investments, most companies are quick to adopt additional technologies.

CISOs must evaluate the architectures underpinning their technology investments and prioritize solutions that align with an organization’s broader IT strategy. As you move more workflows, applications and data to the cloud, will your cybersecurity solutions be able to keep pace? Furthermore, will your solutions actually enable you to get there faster?

Advice to CISOs: Understand if your security investments for the legacy business can stretch into your movement to the cloud, hence reducing the need to maintain multiple systems. Focus on security investments that do not lock you into one architecture and lock you out of another.

'If you're smart, you're going to make a lot of money without borrowing.'

Ward Cunningham, one of fathers of the agile software development movement, coined the term “technical debt,” noting that the problems of writing code are similar to finance: It is OK to create debt as long as you can pay it down steadily and not slow down the advancement of your application.

Today many CISOs face enormous technical debt because of the lack of investment in the same security practices that created the debt. This might seem hypocritical given the concerns about the rapid rise of cybersecurity spending. However, security is only a small fraction of overall IT spend, which Gartner estimates to be $3.5 trillion in 2017. Is the right level of security investment relative to the overall spend on IT?

As many organizations have seen, a hack of the environment can cripple its market cap in a day. To borrow from Buffett, “It takes 20 years to build a reputation and five minutes to ruin it.”

Advice to CISOs: Make sure management adequately funds security investments alongside applications and infrastructure investments. Consider these investments as cost-of-goods-sold for your business.


This article orginally appeared in Forbes

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics