Cyber Blog - Published 20.9.2017

Cyber Security Is Important But Not That Important

Teemu_KanstrenNow that we got your attention with the title, let’s stop and think about it for a moment. People and companies don’t generally care about cyber security. They care about their core business, and they care about the bottom line. In order to run their core business successfully, they must pursue risk analysis and risk management as central activities.

In essence, people and companies don’t care about cyber security for its own sake. They care about cyber security as an increasingly important risk to their business, as identified by their risk analysis. And since cyber security is not part of their core business, it makes little sense for them to invest big in it, if they can make with less. Thus is born the cyber security-as-a-service industry, where specialized companies can provide cyber security services to a larger customer base at a competitive price. These service providers can then invest in the more advanced and generally deployable solutions, such as big data and artificial intelligence for cyber security, while businesses can outsource the non-core parts of cyber security to them.

This is simply one of the findings of our recent study on the current status of industrial cyber security. We carried out in-depth interviews with several global actors in Finnish industry, both with cyber security service providers and end-users, and followed this up with a broader survey of the same topics. In the same vein, one of the most difficult topics we found was the forming and maintaining of good awareness of overall cyber security landscape for a company. Yes, people acknowledge that security awareness is important, and yes people know it should be done right. But it is a cost and it does not bring in money, so unless other factors are present, in practice much less will be invested in it. Some examples.

If the public-sector officer at a small organization is given responsibility for cyber security on top of their regular day-job, with no specific cyber security expertise, and no budget to take care of this, we can hardly blame them for not being able to manage all the details. Elsewhere, consider an industrial production company, responsible for your trendiest internet-of-things gadgets, paper plant, or industrial parts and engines, operating on razor thin margins in a globally competitive sector. Here cyber security is commonly “nice to have”, but the customer is not willing to pay more for it. How can the producer be expected to provide it, when this makes them more expensive in comparison to global competition?

The incentive for companies and organizations to address cyber security comes from the need to mitigate their risks (“worst case scenarios”) while at the same time remaining competitive, and from the enabling factors such as funding. For example, regulation, as a word, commonly may provoke negative feelings in everyday life, but it can be a strong cyber security incentive, as it forces everyone to take security into account. It helps companies secure the required cyber security funding, as all of their competitors are also required to do it, or face the high risk of non-compliance leading to competitive disadvantage, fines and other problems. But, cyber security will not happen simply because we would like it to, or because “it is the right thing to do”. If that is your only incentive, you will be out of the business and out of a job.

After stating the above facts, people often do agree and state this as obvious. Of course you do it because of the risks and the money, both as a cyber security service provider and customer. It is not difficult to find agreement on this. Yet, in the next sentence, people commonly express the view that we should “be good” and do cyber security right, and make the world a better place. Contradictions.

How much more would you pay as a consumer for a mobile device that has got the latest security upgrades, every month, for the next five years? If not much, where is the business sense in that? If you build industrial parts or products in a global market, for which no security requirements exist, how could any company make the investments to make that happen when “no-one cares”? We need a broader view in all this discussion. Cyber security is more than just technical viewpoints. This is something we keep in mind in our research as well and when working in collaboration with our customers.

Teemu Kanstrén, Senior Scientist, VTT Technical Research Centre of Finland