Can you still Afford “not to afford” Cyber Security?

Jean-Christophe Gaillard Jean-Christophe Gaillard
July 16, 2020 Big Data, Cloud & DevOps

COVID-19 changes the game: Now is not the time to risk a cyber-attack.

Earlier ransomware incidents that have affected  organisations such Travelex in the UK or Bouygues in France profoundly question the way cyber security has been managed – historically – in many large firms. And they add their names to an ever growing “hall of shame” which already includes British Airways, Marriott, Equifax and – sadly – countless others.

Large firms with multi-million IT and security budgets should not end up in that mess. Period.

Calling in one of the Big 4 firms to “sort things out” afterwards will not cut it anymore. At the heart of the matter, is not just the need to “do things” (protective and layered “defence-in-depth” measures are well known and have been for decades) but the governance surrounding execution in those firms, the way the prioritisation of security investment was handled over the years, and the cultural and managerial aspects surrounding those.

“We can’t afford this” is an excuse we have been hearing too often with senior executives around security over the years. Many CISOs take it as budgetary constraints. It is simply adverse prioritisation. And if security is not visibly towards the top of the agenda with management, you cannot expect good execution to follow regardless of the investments you make.

One trait many of the firms affected recently by cyber security incidents had in common (pre COVID-19), was their relatively good economic health. Those were not failing businesses chronically losing money or drastically challenged by digital disruption, as could have been the case for example in the retail sector. They were healthy and established market players churning up healthy profits.

How did they use to assess the threats they face? How did they manage their levels of exposure or protection against those? How did they determine the investments necessary to ensure adequate protection?

Clearly, not very well…

One thing is certain: They were not really short of cash – at the time. It may be a simplistic view from a CFO perspective, but the reality is that – post breach – money invariably used to appear out of nowhere to get things “fixed”.

That’s the most pathetic part of all those incidents: Shameless executives, who previously would have argued that they “could not afford” security measures, handing out millions in search of non-existent quick-wins or technical silver-bullets. And shameless tech vendors and security “consultants” lining up, without for a second daring to tell their clients what they need to hear: Buying more tech won’t help you, until you address the cultural and governance attitudes which have led you in that mess in the first place: Endemic short-termism, cognitive biases, or frankly in some cases, threat ignorance and lip service to compliance requirements.

Of course, once the entire business has been down for several days, priorities are put into perspective and mindsets change, but for how long?

Across the street, various competitors or suppliers would have been rattled and may also start thinking differently, but again, for how long?

Once the dust has settled, losses are just losses; they may not please the shareholders, but in a context where many things could go wrong for large firms, do they really matter if the health of the business is strong? For St Gobain, Maersk and others – badly hit by the 2017 NotPetya outbreak – lost sales associated with the cyber-attack were estimated in the hundreds of millions and direct costs related to crisis in the tens of millions. Unpleasant, not invisible but manageable – in good times – on an otherwise healthy multi-billion balance sheet.

Frankly, those days have gone. The COVID-19 crisis changes the landscape totally around cyber-attacks, and that type of cynical approach now borders on plain negligence.

Which business can now afford “not-to-afford” good cyber security measures, in a context where most remaining activity has shifted online, and we are all dependent on digital services?

Security has become essential to keeping the lights on, and nobody can risk a cyber attack in the middle of all this. At the same time, cash has become precious and the business outlook is unclear.

But prioritising against security spending seems unreasonable, even in the face of massive cost reductions, and in particular in organisations where current cyber maturity levels are low.

Now is the time to look at those maturity problems in the face and to focus the scarce resources available where they will have most impact. But cutting security spending to the ground in the midst of the COVID-19 crisis would be disastrous.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Jean-Christophe Gaillard

    Tags
    Cyber SecurityDigital Services
    © 2021, Experfy Inc. All rights reserved.
    Leave a Comment
    Next Post
    What Can Machine Learning do for PR?

    What Can Machine Learning do for PR?

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2025, Experfy Inc. All rights reserved.