Commentary: Gilding the security lily: How much is too much?

Simply throwing money at cybersecurity won’t necessarily diminish risk — and may increase it.

In the ongoing conversation about cybersecurity, a surprising, and even disturbing, term has emerged: “gold-plating” security. Far from being part of the discussion about best practices, this phrase tends to be used derisively, even mockingly, dismissing organizations’ efforts to protect their data as unnecessarily expensive or burdensome.

As much as I dislike the implication — that investing in state-of-the-art, top-quality security is unnecessary or even foolish — I must agree with the naysayers in this respect: Simply throwing money at cybersecurity won’t necessarily diminish risk, and may increase it. “Gold-plating,” rather than providing too much security, may not be good enough.

An ounce of prevention

Lending institutions seem to have figured this out. Before the financial crisis of 2008, most banks paid relatively little heed to managing risk. For various reasons, many turned a blind eye to dubious loan applications, ignoring red flags and often tuning out their own risk managers’ warnings. Frugality was frowned upon in those high-flying days. Since the crash, though, the banking culture has made a 180-degree turn.


Today, risk management tops the industry’s priority list. According to the Wall Street Journal, risk management budgets have doubled at some major lending institutions. Risk officers now routinely sit on banks’ executive boards and, when they speak, draw a rapt audience. Few lenders question whether the cost of caution is too high, because they now know the price of failure.

Where have they spent the money? Risk-management software and systems play an important role in today’s financial world, but the primary emphasis appears to be on people. Senior risk officers’ salaries have increased as much as 40 percent, the WSJ article states, demonstrating their value to the industry. And risk-management departments are growing — by 600 people at one large bank. Careful lending has become a part of the finance industry’s very culture, starting with its people — who are, after all, the foundation of any organization.

Is something similar happening in cybersecurity? Managing the risk of a data breach is now a top priority for many organizations. Information security officers have moved out of the computer room and into the board room, and cybersecurity spending is soaring, expected to increase from around $60 billion in 2012 to more than $80 billion by 2016, the Wall Street Journal reports.

That’s a hefty price tag, but again, the price of failure is high: A data breach costs an organization $5.5 million on average today, a Ponemon Institute study shows, and may cost as much as $150 million by 2020 as our lives become more digitized.

With so much to lose, it’s no wonder companies are pumping dollars into security. But are they buying more than they need — “gold plating” their systems with expensive, needless bells and whistles? As jewelers know, gold-plated doesn’t always mean top quality. What lies under that sparkling veneer?


All that glitters

In jewelry making, a piece’s value depends in large part on the quality of the base metal. Dipping a cheap material in gold does little more than make it shine — and not always for long, as the gold wears off and the dull foundation begins to show.

What would “gold plating” an organization’s cybersecurity look like?

Maybe it’s buying a state-of-the-art system but failing to maintain it with crucial updates. Or hiring the best and brightest to oversee data security operations, but neglecting to instill security awareness among the rest of our people. Investing big in data security — the gold plate — without transforming an organization’s culture — the foundation — is like buying a top-quality alarm system for your house, then neglecting to lock the doors.

With nearly 1 billion data records reportedly lost or stolen in 2014 — 1,854 records every minute — and cybercriminals lurking undetected in hacked computer networks 209 days, on median, this much is clear: “Gold-plating” cybersecurity is not the answer, not if it means adding more flash than substance.


A new gold standard

Far from being too good for most organizations, “gold-plated” information security may not be good enough. In fact, it may create its own set of problems, lulling us into believing we have adequately mitigated risk, and can now turn our attention elsewhere. This may be true for a while, but without vigilance, diligence, and resilience on our part — and a “handle with care” mentality companywide — fix will be temporary, at best.

Investing in the best security systems our organizations can afford is never a bad idea. By itself, though, it’s a shaky strategy, like building the proverbial house on a bed of sand. To prevent data losses of epidemic proportions, we need to do more than gild the security lily. We must go deep, developing strategies to strengthen our security foundations — fine-tuning our processes, instilling awareness at every level, even changing our organization’s very culture. Then, we might achieve at last what alchemists of old never could, transforming our cybersecurity systems into solid gold.

JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaExporer.

Latest Podcasts