[BreachExchange] How Not To Waste A Trillion Dollars On Cybersecurity

[Destry Winant]

https://www.forbes.com/sites/forbestechcouncil/2018/11/09/how-not-to-waste-a-trillion-dollars-on-cybersecurity/#45c4d549df9a

It’s budget season. As the current fiscal year comes to a close,
business leaders everywhere will convene to discuss business strategy,
opportunities and return on investment (ROI) while prioritizing next
year’s budget spend. Amidst the planning and prioritization, it is a
safe bet that IT organizations will renew their annual request for an
increased budget allocation for security. After all, increasing
cybersecurity spend will stop the attackers from compromising their
infrastructure next year, right?

Cybersecurity Ventures recently predicted that global cybersecurity
spending will increase steadily to exceed $1 trillion from 2017 to
2021. But the news site also claimed that the cost of cybercrime
around the world will rise to $6 trillion annually by 2021. Something
seems wrong with any prediction that correlates increased spending on
prevention with increased damages from successful penetration of those
same defenses. That's not because I disbelieve the numbers but because
they show how truly broken the legacy approach to cybersecurity is.
The industry has literally gone decades with no real improvement. How
is this acceptable?

It is time we shined a light on the industry’s worst kept secret:
Throwing more money at the problem simply does not keep attackers out
or breaches from happening. It is a good bet both things will continue
to happen. What's more disconcerting to consider is that they have
already happened and you just simply don’t know it yet.

Why The Math Doesn’t Add Up

The problem isn’t solely centered on technology, there have been many
significant innovations in the cybersecurity industry in recent years.
For many companies, the elephant in the room is treating security as
only a technology problem. Just look at Facebook’s current situation.
Modern-day CISOs have increasingly found themselves helpless to effect
real change to secure an organization’s data and infrastructure
because they lack the insight of the conditions that give rise to bad
or risky behavior.

For instance, traditional IT security assumes everyone is a
potentially malicious actor and therefore works to prove the guilt of
someone who clicks suspicious links, visits dangerous websites or
inappropriately accesses sensitive data. Not everyone is intentionally
bad, but their behavior is a continuum that can change in an instant,
especially when their identity is stolen. Even more basic, employees
can make honest mistakes in today’s 24/7 culture. Pushing work-life
balance to meet compressed deadlines, they may be too tired to
recognize a phishing email compromising their credentials until after
they clicked on it. What's potentially more damaging, they could
simply become disgruntled with their employer and decide to steal
company data.

Investments focused on securing a constantly changing IT
infrastructure do not address the unpredictability of human behavior.
Instead, organizations need to make a fundamental change in their
approach to cybersecurity and reprioritize budgets to align with this
newly defined reality of our modern society.

Rethink Operations Budgets To Focus On Behavior

The first step is to stop thinking about security as solely a
technical problem with technical solutions. Today’s sophisticated
threat landscape is a rich, multifaceted organizational challenge that
requires insight on how data is used across myriad business functions.
Shifting the focus to understanding the behavior patterns of people
and their interactions with technology provides clarity in regard to
who is using sensitive data, why and from where.

Having a baseline for behavior, a digital rhythm or routine, can help
security and business leaders better manage risk. If an employee is
working normally on the job, IT can get out of the way. But if the
behavior is inconsistent with the organization’s mission, IT can
recognize the risk and quickly respond with coaching or stronger
enforcement policies. Context matters. Security teams that only focus
on securing computers and servers will miss the broader perspective
and the signs of an incident or data breach until months after it
happened.

The cybersecurity skills gap has been another area where the security
industry is struggling. With more seats to fill than there are
educated and experienced people to fill them under the traditional
model of cybersecurity, many cyber issues have arisen from simply
lacking the time and manpower to find and resolve threats before they
impact businesses. Businesses will always need skilled workers, but
they can leverage automation and behavior analytics to help lighten
the load.

Security leaders will also be more effective if they establish
functional partnerships and strategic programs with human resources
and legal teams. The HR and legal departments share the mission to
secure the organization’s data and people. These business functions
have a vested interest in user and data protection, from preventing
confidential information from falling into the wrong hands to
protecting the workforce by ensuring compliance, employee privacy and
safety.

It is no real surprise that the cybersecurity industry has been so
resistant to changing its approach. Continuing reports of breaches are
good for budget increases. But it’s clear this model is not good for
global business, as breaches cost economies billions of dollars each
year. It is time for a paradigm shift in the cybersecurity industry.
When we understand people and their interaction with data, then we
have the tools to mitigate cybersecurity risks before any real damage
can be done.