From anecdotes to patterns: The emergence of a cyber defense cost and risk model
Jun 10, 2015
When I first picked up the latest RAND research report, I did my 30 second scan of the table of contents and noticed a range of familiar topics: High cost of cyber security. Too much technology, not enough security. And, there's no silver bullet when it comes to security.
Nothing new here, or so I thought.
Then I started reading in earnest, and I realized that this is groundbreaking work. For the first time, researchers are starting to create a holistic and heuristic model that CISOs can use to articulate and balance the wide range of factors that influence cyber defense, cost and risk.
It starts to put substance and quantitative methods around all those cyber security anecdotes we know so well.
Here are a few of the areas that are coming to light in a sharper and more calculated way through this research:
Anecdotally, we know that the bad guys are winning. They are one step ahead. But now, we have a risk-oriented model that show how far ahead they are and how the gap is widening.
Anecdotally, we know that companies spend a lot of money on tools and technology trying to secure themselves, but it's still insufficient. Now, we have a model that shows the relationships between things like tools, training, BYOD policies and business processes. There is now a better way to think about what to spend on… and the answers might surprise you. For example, the two areas where spending will have the most impact in the short term are workforce training and application security.
Anecdotally, we know that the efficacy of security tools/technology wanes over time, thus value diminishes. Now we have a way to bifurcate spending between the two different but interrelated categories for tools: Those that are prone to black hat countermeasures or work-arounds and those that are not.
And, anecdotally we've known that enterprises can't just throw money at the problem. More money doesn't equal more security. This report articulates two important questions: What is the real cost of security. And, more important from an economic point of view, what is the return on risk investment?
One thing is clear: The ability to understand and articulate an organization's risk arising from network penetrations in a standard and consistent manner does not exist and will not exist for a long time. And giventhe economic maturity and structure of the hacker black market,as well as its resulting implications to businesses, we will continue to have some work to do.
But this report is the first to provide a starting point to help CISOs understand the various decisions they can make to protect their organization and ultimately better engage and garner support from the larger C-suite.
Managing security risk is not an easy problem, but it's an inevitable problem. And we have to face it as we move into the next era of cyber defense strategy.