The RAND Corporation has published a report, sponsored by Juniper Networks, looking at the challenge of corporate cybersecurity. What it discovered is that despite increased spending Chief Information Security Officers (CISO) believe that attackers are gaining on their defenses.
The report highlights the scale of spending on cybersecurity by large corporations. It currently sits at over $70 billion per year and is growing at between 10 and 15 percent. That level of spending raises questions as to how effectively the money is being spent. It suggests that companies need to look more closely at what they are getting for their money.
According to Martin Libicki, co-lead author of the study and senior management scientist at RAND, a nonprofit research organization: “Despite the pessimism in the field, we found that companies are paying a lot more attention to cybersecurity than they were even five years ago.
“Companies that didn’t even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them. Core software is improving and new cybersecurity products continue to appear, which is likely to make a hacker’s job more difficult and more expensive.”
The report should be required reading for board-level executives
The report, which runs to 162 pages, makes for interesting reading and can be accessed from the RAND Corporation site. It is not often that a report comes along that should be required reading but this is an exception.
It is not just about the quality of the respondents but the way the report details key issues. It looks in detail at what the respondents had to say with some surprising results. There is also a focus on the efficacy of existing systems and the need to improve software.
Most important of all, the report lays out a heuristic cybersecurity model and a set of lessons for organisations and public policy. All of this is based on the responses of 18 CISOs who were interviewed based on a set of 21 questions which are set out at the end of the report.
While this is a report with a low number of respondents, they were drawn from an interesting mix of organisations. Eight came from the military, four from communications, three from finance, two from manufacturing and one from government. All of these are areas under constant attack and from industries that have recently suffered attacks and data losses.
Cybersecurity still a hard sell
Among the early conclusions are some that will come as no surprise to most in the security industry. For example, cybersecurity is still a hard sell, especially to chief executives. In a recent security analyst briefing, HP said that this is beginning to change. It cited the job losses among the board at Target as the moment when boards started to pay attention. However, that is not borne out by this report.
It quickly becomes clear that there is confusion among the CISOs as to how to deal with cybersecurity on a daily basis. There appears to be a problem in deciding if enough money has been spent or if more is needed. When you talk to security experts, they are concerned with this approach. From their perspective the speed with which the cybersecurity threat evolves means that unlike other IT systems, cybersecurity is not a one shot expense.
This is a reasonable approach however, it is easy to have sympathy with the CISOs. They are spending big on cybersecurity solutions and in any other part of their business, they would expect that level of spend to be a one-off or a once in several year cost. There is clearly a need for better metrics to prove what is being achieved and what still needs to be done. This has to be allied with more education to understand that this is a continual battle.
“The security industry has struggled to understand the dynamics that influence the true cost of security risks to business. Through Juniper Networks’ work with the RAND Corporation, we hope to bring new perspectives and insights to this continuous challenge. What’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats,” said Sherry Ryan, Juniper Networks’ chief information security officer.
Should governments play a greater role?
This is a sensitive area. Talk to many of the big security vendors and they will tell you that the last thing that is needed is cybersecurity delivered in the same way compliance is delivered. There is a belief that this would not improve security just have companies delivering to a set of requirements that are inflexible, quickly outdated and once published, relatively simple for hackers to circumvent.
According to the report, that view seems to be shared by the CISOs that were interviewed. What makes this compelling is that half of the CISOs come from a military or government background. The report’s authors however feel that there is still a place for government to act. They propose an approach focused on understanding failure similar to that used in aviation and medical.
There is already a move to requiring greater reporting of any cybersecurity incidents across the US and Europe. This would need to be a statutory requirement if what the report authors propose is to work.
A more interesting approach is to improve the sharing of data. This is starting to occur in certain industries such as finance where security teams already do a significant amount of unofficial threat intelligence sharing. It is an approach that the security industry is keen to see extended. HP, IBM and others have all been announcing their threat intelligence and sharing solutions over the last siz months.
There are also industry standards emerging that are aimed at making it easier to exchange data. These are the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). They allows data to be pulled in from a range of vendors and enterprises and shared. While this is likely to be mainly used by vendors to improve their offerings, there is a case to be made for greater enterprise access to the data.
A heuristic model that can be applied to any organisation
One of the most interesting parts of this report is the heuristic model which will challenge a lot of companies to reassess how they currently deal with cybersecurity. It shows how organisation size determines the best strategy and how changes in policy can affect the level of potential losses.
Unlike many models, this one puts a cost against the changes to provide a cost-benefit analysis.
There is a lot in this report to digest but the time spent is likely to provide most CISOs with ideas and approaches to help improve their cybersecurity. This is not just a report for the CISO. As the board becomes more engaged with issues surrounding security, there is a need for information that meets their needs.