Tradeoffs in Cybersecurity: Efficiency vs. Resilience
3–18–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 18, 2024, and we’re going to look at tradeoffs in cybersecurity.
Everything’s A Tradeoff - Efficiency vs. Resilience
Everything in cybersecurity is a tradeoff. Sometimes it’s the classical tradeoff between the “CIA Triad” of Confidentiality, Integrity, and Availability.
Sometimes it’s a tradeoff that we’re likely all familiar with: good, fast, and cheap - pick any two.
But the tradeoff that we’ve been seeing made lately is one of resilience vs. efficiency.
What do I mean by that?
Well, when we optimize for efficiency, we often find ourselves choosing a path that a security person might see as a “single point of failure.” And, if that single point continues to perform, the choice of efficiency seems like a good one.
Until it isn’t.
And we’re seeing that play out very publicly with the situation around Change Healthcare’s ransomware attack. In fact, a survey from the American Hospital Association noted that 94% of hospitals reported at least “some financial impact” because of this attack.
“Beyond the financial hit, 74% of hospitals said the incident resulted in “direct patient care impact.” Almost 2 in 5 hospitals said that their patients are “having difficulty accessing care.”
The impact has been so large that “The Office for Civil Rights opened a probe into Change Healthcare on Wednesday, with Department of Health and Human Services Secretary Xavier Becerra promising Congress the next day that his department would pressure UnitedHealth Group and other payers to commit to further support.”
In another high impact event from last week, we saw what was characterized as a “configuration change” take down McDonald’s restaurants across the world.
In each of these cases, there were valid reasons for optimizing for efficiency. Unfortunately, those choices also have unintended consequences - namely a meaningful reduction in resilience when that efficient choice is not fully functional.
As we look to make our own tradeoffs, I think this absolutely a point worth remembering. While the more resilient way may seem less efficient - because it is! - there are advantages to these other structures, processes, etc.
Not only is this balance up to each of us in our operational, IT, and security decisions, but they are decisions that can be reviewed when it makes sense to review them. If you review a decision and decide it’s still the right fit, that’s not time wasted or a lost opportunity - that’s affirmation that it’s still the right fit for you.
This is the reason we encourage clients who accept a risk to do so for a defined period of time - say 12 months - providing structure to revisit that decision. Same idea here.
Fundraising
From a fundraising perspective, a bit of a deviation from the recent announcements of large funds - with only a combined $3.9B in committed capital announced. I would note that there were quite a few “is raising” or “intends to raise” announcements, but we don’t count those the same.
This is also the smallest volume of funding announced in any week in 2024 - including the very first week coming off of the holiday. For what it’s worth - I wouldn’t over-index this data point. Instead, let’s see how the Reddit IPO goes later this week, and what other macro moves are made.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://edition.cnn.com/2024/03/15/business/mcdonalds-systems-failure/