Examining the Impact of Reactive and Proactive Investments in Cybersecurity
By Dr. Mauricio Angee, CISO, University of Miami Health System
Cybersecurity has become an essential and critical component of every organization. From retail corporations, financial institutions, healthcare organizations, government agencies to small businesses safeguarding information assets and maintaining compliance with laws and regulations has become a priority. As some organizations live in heavily regulated environments with significant regulatory oversight, compliance expectations influence senior management and the Board of Director’s investments in cybersecurity. Thus, to guarantee information assets are secured, and protected organizations must implement a cybersecurity program, develop a multi-year strategic plan and ensure the proper investments are made to support both the security programs and the strategic plan. Does this phenomenon pose the following question, if a company is perceived to comply with laws, regulations, and standards, then is it likely that cybersecurity investments will decrease?
A significant amount of evidence shows that organizations in every industry experience a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches (Symantec, 2019; Verizon DBR, 2019; Trend Micro, 2019). In an effort to prevent security breaches, organizations have heavily invested in technical controls for the protection of critical systems and sensitive information (SANS, 2014). Security breaches and their impact on organizations can be the consequence of weaknesses of technical and non-technical control implementations. Organizations have implemented technical and non-technical measures to mitigate these risks (Siponen et al., 2007). Considering the consequences of recent computer security breaches, industry security reports have pointed out that one factor contributing to this phenomenon was the resulting lack of information security investments. Furthermore, substantial financial investments committed to technology-based security solutions have not resulted in decreased IS security risks and threats (Öğütçü et al., 2016).
Cybersecurity programs serve to maintain a sound security posture beyond regulatory compliance. Also, information security manager should not base their information security program solely on the premise that compliance requirements should drive security or that security investments are enough as long as regulatory requirements are met. In other words, organizational investments in cybersecurity should not be driven solely by regulatory compliance requirements.
Depending on the industry, some organizations are meeting regulatory compliance. For instance, financial and banking institutions are required to comply with the Gramm-Leach-Bliley Act (GLBA), healthcare organizations are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), educational organizations must comply with Family Educational Rights and Privacy Act (FERPA), etc. In healthcare organizations, the HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronically protected health information (ePHI.) As a result, security managers may interpret this premise as “doing only the minimum to meet the requirements to comply” but not really focus on having a robust strategy beyond what is required. Research has been focusing on the premise that “compliance does not equal security.”
Other factors that influence the need to ensure cybersecurity programs are effective in providing the proper security controls are in place to protect an organization’s information assets include :
(1) Changes in cyber threats landscape (new and more sophisticated attacks),
(2) Changes in regulations (state, federal, and international),
(3) Challenges to adapt to the rapid changes in technology (innovations),
(4) Challenges to secure and adequate monitor legacy systems,
(5) Challenges to hire, train, and retain human capital.
For these reasons, two critical questions must be asked:
- What are the drivers that influence investments in information security?
- How should security managers prioritize investments to enhance an organization’s security posture?
An economics perspective naturally recognizes that while some investment in information security is good, more protection is not always worth the cost (Gordon, 2002). By leveraging a risk-based approach to security, progressive organizations can reduce risk, reduce costs, improve response readiness and increase risk-posture visibility (ISACA Journal 2013). Security practitioners have taken a more comprehensive approach to prioritize investments to enhance their information security programs. Some of these approaches are based on risk management practices (proactive), as a result of a security incident, incident-driven practices (reactive), or by following regulatory guidelines (compliance-driven). However, the compliance-driven approach only forms part of a holistic approach to security (Anderson and Choobineh, 2008). Other issues may arise from external regulatory pressure that could have a potential impact on information security investments.
Previous research has not addressed the problem of why reactive information security investment fails. In recent years, ransomware attacks against healthcare organizations have increased significantly. According to a report from Emsisoft data, 560 Healthcare providers fell victim to ransomware attacks in 2020. After action reports have uncovered severe weaknesses in healthcare organizations’ cybersecurity programs and their lack of cybersecurity investments, some security experts say that organizations have a reactive security posture. When organizations take a reactive approach, issues that arise from previous failures, to invest in information security initiatives, they face the potential to spend more in remediation and mitigation efforts, not to mention regulatory fines. Thus, regulatory compliance and security breaches trigger investment in information security.
However, focusing on a proactive approach to information security holistically may help organizations strengthening their cybersecurity programs. Several factors are likely to influence a proactive approach to information security. These factors include the need for managers to take a risk management posture to anticipate, adapt, prevent, and effectively manage potential security incidents. Drivers that influence investments in information securityAccording to Siponen et al. (2014), information security investments are not keeping pace with information technology investments and investigating the drivers that influence investments in information security are essential elements to determine the cybersecurity programs’ efficacy and effectiveness. By looking at factors such as business process, organizational climate, senior management evolution and support, technology innovation, risks, threats landscape, and regulatory issues should help justify the investment in an organization’s security program.
The importance of information security might be unclear within the management team. Important drivers for investing in information security are attributed to senior management support and their overall understanding (beliefs) of security issues beyond compliance (Barton et al., 2016). In addition, senior management must have a strong commitment to ensuring that information security investments support the business objectives, are commensurate with the risks, and ensure regulatory compliance requirements.
| Proactive | Reactive | Compliance based (check the box) |
| Strategy | Lack of planning | Meet minimum security requirements |
| Assess | Break-fix | |
| Planning | Narrow focus | |
| Execution | Poor execution | |
| Re-assess | ||
| Re-align |
