Cybersecurity Poverty Index™ 2015
A great survey graphic of the state of cybersecurity poverty by RSA.
The entire survey is worth a look but the Key Takeaways, are real treasures:
Organizations still prioritize protection over detection and response, despite the fact that protection is fundamentally incapable of stopping today’s greatest cyber threats.
The biggest weakness of surveyed organizations is the ability to measure, assess, and mitigate cybersecurity risk, which makes it difficult or impossible to prioritize security activity and investment.
It is nice to have RSA confirm my adding cybersecurity protection graphic:
Software, including security software, is so broken that even attempting add on security is worthless.
That doesn’t mean better software practices should not be developed but in the meantime, you are better off monitoring and responding to specific threats.
I don’t know of anyone who would disagree that being unable to “measure, assess, and mitigate cybersecurity risk,” makes setting security priorities impossible.
But, why do organizations lack those capabilities?
Do you know of any surveys/studies that address the “why” issue?
I suspect it is a lack of incentive. Consider the following paragraph from CardHub on credit card fraud:
What consumers generally do not know is that they are shielded from liability for unauthorized transactions made with their credit cards via the combination of federal law issuer/card network policy. As a result, financial institutions and merchants assume responsibility for most of the money lost as a result of fraud. For example, card issuers bore a 63% share of fraudulent losses in 2012 and merchants assumed the other 37% of liability, according to the Nilson Report, August 2013.
With credit card fraud at $11.2 billion in 2012, you would think card issuers and merchants would have plenty of incentive for reducing this loss.
Simple steps, like requiring a second form of identification, a slight delay as the transaction goes through fraud prevention, etc., could make a world of difference. But, they would also impact the convenience of using credit cards.
Do you care to guess what strategy credit card issuers chose? Credit card holders are extolled to prevent credit card fraud, which has no impact on them in most events.
Does that offer a clue to the reason for the lack of proper preparation for cybersecurity?
Yes, breaches occur, yes, we sustain losses, yes, those losses are regrettable, but, we have no ROI measure for an investment in effective cybersecurity.
Unless and until there are financial incentives and an ROI to be associated with cybersecurity, it is unlikely we will see significant progress on that front.