5 Lessons Cyber-Security Chiefs Can Learn From Warren Buffett

In 2017, organizations invested $86.4 billion in technologies designed to protect their data—a figure that is double what it was less than five years ago. Meanwhile, it seems like nearly every other week, there’s a new wave of headlines reporting on the latest major security attack. This breakdown has security leaders posing the question: Are my security investments working? Alan Cohen, chief commercial officer of Illumio, has been having a lot of these types of conversations with chief information security officers (CISOs) and IT leaders. Over time, he’s come to realize that there are parallels between best practices for security and finance. In fact, security leaders can learn a lot from the way Warren Buffett protects his financial investments. This eWEEK slide show offers some of those perspectives.

Faced against an increasingly perilous threat landscape, most security teams are doubling down on traditional security technologies and management practices. But this is a failing strategy. Just as IT infrastructure has evolved, and with it the nature of cyber-attacks, the security tools that worked well a decade ago are no longer effective in today’s distributed and dynamic world.

Evaluate the ROI of your security technology portfolio like Buffett evaluates his financial investments portfolio. Create a framework that measures the performance of your investments in people, processes and technologies on a regular basis, be it quarterly or annually. Defining metrics around things such as incident reduction, speed of application deployment, cost savings in overall IT spend, time to compliance and customer acceptance equips you with data on which security tools are working and which ones aren’t so that you can make adjustments accordingly.

While many security leaders are terrified about “flying blind”—the inability to spot malware on their organization’s devices—the reality is that most CISOs don’t actually have visibility into their data centers and cloud environments. They lack the basic understanding of how their applications are communicating over networks and which channels are most vulnerable. As a result, CISOs blanket their systems with threat detection technologies that inundate them with alerts, many of which are false positives and can distract them from responding to real threats.

Build a map of how your applications, users and networks communicate so that you have visibility into your attack surface and where your greatest points of vulnerability lie. Similar to how doctors rely on MRIs to see the connections in a patient’s body and make informed decisions for treatment, security leaders should make sure they understand the connections within their data centers and cloud environments so that they know all of the potential attack vectors and where they’re most vulnerable. Armed with this intelligence, they can curate their security investment strategy to prioritize sensitive areas, effectively manage alerts and focus on responding to real threats.

Three fundamental requirements to reduce the risk and spread of security threats are basic, yet often neglected, best practices: a) patching, i.e., update operating systems and applications with the latest software; b) multifactor authentication, i.e.,require multifactor authentication for corporate networks, systems and applications; and c) micro-segmentation, i.e., segment high-value assets from lower-value assets. Investing in these simple security techniques is the cyber equivalent of investing in bonds: The benefits are easily understood and consistent.

Instead of getting caught up buying the hottest new security technology, cover the basics first. If you aren’t already investing in patching, multifactor authentication (MFA) and micro-segmentation across your devices, data centers and cloud environments, then you’re missing out on three of the most fundamental security best practices that will have the greatest returns for keeping your organization safe.

Rather than looking to create additional dividends from existing security investments (be them technologies, people or processes), most organizations are quick to adopt new technologies. Security and IT leaders should work together to ensure that security investments align with their organization’s broader IT strategy. As your organization moves more workflows, applications and data to the cloud, ensure that your security solutions not only keep pace but actually enable you to get there faster.

Security should be a business enabler, not an inhibitor. Make sure that security investments for the legacy business can provide the cover you need as your organization moves to the cloud and adopts new technologies and workflows.

Organizations spent an estimated $3.5 trillion on IT in 2017, with security accounting for less than 3 percent of that total. But as we’ve witnessed from the high-profile attacks of the last year, a hack can cripple a business’s market cap. Or in the words of Warren Buffett: “It takes 20 years to build a reputation and five minutes to ruin it.” If security is an underpinning of a business, then organizations should allocate investment dollars and resources accordingly.  

Make sure security receives the adequate funds and resources necessary to ensure your investments are effective. Use the performance metrics of your security investments to demonstrate clear ROI to your board and other decision-makers so that security is viewed as an integral resource that supports the company’s revenue stream and overall business value, rather than as a cost center.

In today’s hostile threat landscape, the stakes involved in protecting your organization have never been higher. Yet, with the massively crowded vendor landscape, it’s easy for security professionals to get stymied—but it doesn’t have to be that way. Security leaders can look to Warren Buffett’s investment philosophy for wisdom on how to approach their security strategy to ensure they’re getting the biggest returns on their investments.