Cyber

Cyber incentive study

by Mark Rowe

The IT security company Intel Security, with the Centre for Strategic and International Studies (CSIS), has brought out a survey on three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus those in implementation roles. The report, Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity, also covers ways organisations can learn from cybercriminals to correct these misalignments.

Based on interviews and a global survey of 800 cybersecurity people from five industry sectors, the report claims cybercriminals have the advantage, thanks to the incentives for cybercrime creating a big business in a fluid and dynamic marketplace. Defenders on the other hand, often operate in bureaucratic hierarchies, making them hard-pressed to keep up.

Other misalignments occur within defenders’ organisations. For instance, while more than 90 percent of organisations report having a cybersecurity strategy, less than half have fully iapplied them. Most, 83 percent said their organisations have been affected by cybersecurity breaches, indicating a disconnect between strategy and implementation.

And while cybercriminals have an incentive for their work, the survey not only shows that are there few incentives for cybersecurity professionals, but that executives were much more confident than operational staff about the effectiveness of the existing incentives. For example, 42 percent of cybersecurity implementers reported that no incentives exist, compared to only 18 percent of decision makers and 8 percent of leaders.

Candace Worley, vice president of enterprise solutions for Intel Security said: “The cybercriminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools. For IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.”

And Denise Zheng, director and senior fellow, technology policy program at CSIS said: “It’s easy to come up with a strategy, but execution is tough. How governments and companies address their misaligned incentives will dictate the effectiveness of their cybersecurity programs. It’s not a matter of ‘what’ needs to be done, but rather determining ‘why’ it’s not getting done, and ‘how’ to do it better.”

Other findings:

– Non-executives are three times more likely than executives to view shortfalls in funding and staffing as causing problems for the implementation of their cybersecurity strategy
– Even though incentives for cybersecurity professionals are lacking, 65 percent are personally motivated to strengthen their organisations cybersecurity
– Ninety-five percent of organisations have experienced effects of cybersecurity breaches, including disruption of operations, loss of IP, harm to reputation and company brand, among other effects. But only 32 percent report experiencing revenue or profit loss, which could lead to a false sense of security.
– The government sector was the least likely to report having a fully-implemented cybersecurity strategy (38 percent). This sector also had a higher share of agencies with inadequate funding (58 percent) and staff (63 percent) than the private sector (33 percent and 43 percent).

The report also suggests ways that the defender community can learn from the attacker communities. These include:

· Opting for security-as-a-service to counter the cybercrime-as-a-service model of the criminal market.
· Using public disclosure.
· Increasing transparency.
· Lowering barriers to entry for the cyber talent pool.
· Aligning performance incentives from senior leadership down to operators.

Good news

According to the report, most companies recognise the seriousness of the cybersecurity problem and are willing to address it.

Methodology

Intel commissioned technology market research firm Vanson Bourne to undertake research. Intel surveyed more than 800 respondents from companies ranging in size from 500 employees to more than 5,000 across five major industry sectors, including Finance, Healthcare and the Public Sector. The survey targeted respondents with executive level responsibility for cybersecurity, as well as operators that have technical and implementation responsibilities for cybersecurity. Countries represented by respondents include the United States, United Kingdom, France, Germany, Brazil, Japan, Singapore, Australia, and Mexico.

Related News

  • Cyber

    Account manager

    by Mark Rowe

    The data security company, Digital Pathways, has announced two new appointments. Colin Rumsan has joined the company as Account Manager. He comes…

  • Cyber

    Benefits of hosted security

    by Mark Rowe

    Morphean’s VP of Sales and Marketing, Martyn Ryder, pictured, looks at cloud’s ability to help businesses become more efficient while improving security…

  • Cyber

    Austrian energy training

    by Mark Rowe

    The European Network for Cyber Security (ENCS) joins Oesterreichs Energie, the association of the Austrian electricity sector, in Saalfelden to deliver its…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing