This blog was initially published in Enterprise Security Tech in September 2023.
In the original Ghostbusters movie (1984), Bill Murray’s Dr. Venkman’s character visits the apartment of his romantic interest, Sigourney Weaver’s Dana Barrett. Dana, living in the epicenter of paranormal activity is visibly possessed by an evil spirit when Bill Murray arrives. The sultry and scantily-clad (at least in the context of 1984 cinema) Dana lies on the bed, looks at Dr. Venkman seductively, and asks “Do you want this body?”. Bill Murray’s now-famous retort: “Is this a trick question?”
In a scene from the modern day CISO’s office, what do you think might happen if I asked a CISO or someone responsible for their organizations’ cyber security, “Would you have a better chance to stop bad actors from infiltrating your network if you had 40% more budget?” I think there’s a good chance they might channel Bill Murray in Ghostbusters and ask exactly the same question he did of a possessed Sigourney Weaver.
As it turns out, a 40% increase in their cyber security budget might be a trick question, and a CISO pipe dream, but the mental exercise is actually rooted in fact. A January 2022 Forbes article quotes a survey of financial institution CISOs that estimate they “spend up to 40% of their cybersecurity budget submitting regulatory compliance reports.”
With few exceptions, every dollar counts in every corporate budget, including cybersecurity. So spending one third to half of it on compliance must be a tough pill to swallow for the average CISO…or is it? Ultimately, the job of a CISO is to minimize their organization’s cyber risk and prevent successful cyber attacks. But might that goal be obfuscated by an unwavering loyalty to compliance, sundry certifications, audit gold stars and such? If standards compliance is the primary objective of a security team, one can’t fault them for spending up to half of their budget doing what they’re incentivized to do, whether it legitimately minimizes the organization’s cyber risk or not.
Which brings us to Charles Goodhart and the law that bears his name. Goodhart’s Law states that, when a measure becomes a target, it ceases to be a good measure. There are myriad examples, but one that rings true with many is the standardized achievement test popularized in the early 2000s, and designed to measure how well students were learning and schools were teaching. With funding and other incentives (both carrots and sticks) tied to standardized test results, schools became slaves to the metric (standardized test scores) in lieu of the goal (improved learning by the students). Learning took a back seat to maximizing performance on the standardized tests.
I believe that Goodhart’s Law is finding a new application in cybersecurity and its obsession with compliance. Organizations are checking all the boxes, armies of auditors and compliance professionals are enjoying long careers, GRC vendors continue to grow their businesses, certificates of compliance are being printed, audits are being passed…
and yet the number of successful cyber attacks continues to increase—weekly cyber-attacks have gone up by 7% in Q1 of 2023 compared to the same period last year.
The metric (compliance certification) has now become the target, and the objective (stopping successful cyber attacks) has become subordinate to the metric. Charles Goodhart lives. (He actually does…he’s now 86, but importantly, so does the principle that made him famous.)
As a cyber security community, we need to re-think our commitment to – and investment in – compliance. Can we all agree it’s not working? If successful breaches were confined to organizations that either didn’t invest in compliance or were unsuccessful achieving it, then we could talk. But we all know that’s not the case. We need to start thinking about taking that 40% and investing more in the things that have the best chance of making the bad guys’ lives more difficult. We won’t win every battle, but at least we’ll be fighting the right war.