Cybersecurity: Why too many executives still don’t invest

Skimping on cybersecurity is like failing to install smoke alarms in your home – indeed, as business executive Kevin McCarty points out in a piece for Forbes earlier this month, it’s an even worse decision. A house fire is a relatively rare occurrence, while cyber attacks are frequent – and becoming more so.

Despite the risk, “I still encounter many business leaders who are resistant to investing in systems and training to protect against cyberattacks,” writes McCarty, who is CEO of the national consulting firm West Monroe Partners.

It only takes one serious breach to show how unwise that can be. If hackers succeed in taking a company’s website or online ordering system offline, the losses can cripple a company or even put it out of business forever.

We asked faculty members in the cybersecurity program at Capitol Technology University why C-suites and business owners still balk at investing in cybersecurity – even as high-profile targets such as Yahoo, Target, and Home Depot reel from the damage inflicted by hackers.

Lack of accountability is part of the reason. According to Professor Rick Hansen, executives at large companies have not traditionally faced ramifications if a breach occurred on their watch, so the incentives for taking the problem seriously just weren’t there.

“There has been a problem with large business in that senior executives were not held accountable for cyber failure,” Hansen said. “Recently, that has started to change – we are seeing more executives being held to account, as well as talk of including cyber professionals on company boards.”

At smaller companies, meanwhile, finances are often tight and decision-makers feel they have no choice but to take a gamble. “Their budgets are cut to the bone, and they don’t have the resources, the time, or the focus to address cybersecurity.”

Dr. Emily Darraj, also on the Capitol faculty, believes too many managers view cybersecurity as an add-on, rather than as an integral part of each project.

“The current issue with cybersecurity from a management perspective is latency in incorporating security from the beginning and failure to invest in cybersecurity talent and technologies. The view needs to change where cybersecurity is included at the inception of an IT project, end-to-end to decommission of said project,” Darraj says.

“Also, management needs to invest in cybersecurity talent, products and services to ensure their environment is hardened including the supply chain. Adhering to these two points not only provides security protection, but it also ensures privacy is implemented.”

Companies must start to recognize that they’ll ultimately save money by planning ahead and baking cybersecurity into the process from the get-go, she notes.

“C-suite executives who invest in cybersecurity and include cybersecurity in preliminary discussions and beyond will have a better cyber posture and less financial loss when a cyber incident occurs. It is well documented that retrofitting cybersecurity into a design is extremely expensive,” Darraj says.

“Companies that built cyber in from the start succeeded in protecting their environments. Cybersecurity continually needs to be addressed for current and future threats and advancing technology.”