For many years now, the speed of revenue growth and tooling in the cybercrime market has exceeded the rate of investment in cybersecurity.
According to various estimates, the global proceeds from cybercrime in 2018 were probably somewhere far in excess of $1 trillion, perhaps even as high as $1.5 trillion. Cybercrime is a market that has seen growth rates estimated by some, including the UK Police, to have a year-on-year growth rate of over 50%.
Meanwhile, the cybersecurity market spends a fraction of that amount on defense. In 2018, the total global spend on cybersecurity was estimated to be around $150 billion, or in other words, about 90% less than the revenue stolen through cyber-attacks.
The amount of revenue achieved by cyber-criminals belies the cost of the damage they cause to the organizations impacted. Take an event such as the 2017 WannaCry attack: it achieved almost no revenue for the party that perpetrated it (a figure of £108,000 or approx $140k has been mentioned), and yet the estimated cost to address the problems in just one impacted organization, the UK National Health Service (NHS), was revealed to be around £92 million – well over $100m.
With NotPetya, the overall remediation costs globally have been estimated at around $8 billion, but in the end, that crime turned out to have no real focus on revenue, simply on disruption.
Whether you look at the impact of data breaches on company values on Yahoo, Marriott or others, the huge impact on share value and costs for remediation dwarf their historic investment in cybersecurity. In the case of Yahoo, the mega breach arguably cost the company around 10% of the eventual resale value.
As the gap between underworld revenue and cybersecurity defense widens, it’s time to re-assess our approach.
Many organizations make bold statements about how they value the privacy of their customers, or how they invest in securing their data and services – but the truth is most of them are spending far too little. Many of them make these statements straight after their inadequate approach to information security has just been exposed through a mega breach, where they cannot even work out how much data they have lost.
The uncomfortable truth is that it is possible to defend data, services and the technologies they rely on, but it is expensive and to be effective, security has to be present from the outset.
We have all heard the term “Security by Design,” but cybersecurity is still rarely something that is adequately considered and managed from the outset of building and adopting new technologies.
Treating information security as a paint to try and apply as an afterthought is a surefire way to lose data and alienate customers and shareholders alike. The list of excuses rolled out for each mega breach never hold up to close inspection, and this is often reinforced by the reluctance of the organization that has suffered the breach to open up about what went wrong, or worse to get their diagnosis wrong and allow the underlying causes to persist.
Customers, shareholders and infosec professionals alike all hope that in 2019 it’s time to rectify the situation. Cybersecurity professionals can keep data and services secure given the right level of resources and access – and although there are skills shortages in the market, discussions with different organizations reveal that the ones that are suffering the most turn out to be the same ones that are least attractive for the savvy cyber professional to want to work for.
After all, if the cybersecurity approach and expenditure at an organization is under-resourced, with under-investment in training and the security team used as scapegoats for blame rather than a mission-critical function, then the question is not how much they pay, but rather what other organization could I go work for?
Whether you are a CEO, an investor, a customer, a regulatory agency investigating breaches or even a fellow infosec professional, I am going to offer my own thoughts on the tests that demonstrate when organizations have the right approach to securing their data, products and services.
Have a Chief Information Security Officer
Firstly, I am no longer trusting any organization that has not yet worked out that they need a single point of accountability for security (the Chief Information Security Officer) that must report to the CEO and definitely not to the CIO. Any major organization that has several CISOs, none at all or one that reports to a role where there is a very clear conflict of interest has a fundamental problem that it is not tackling.
Spend at least 1% of global revenue on cybersecurity
Secondly, for organizations that want me to be confident about their approach, I want to know just how much they spend on their cybersecurity, preferably expressed as at least one per cent of their total revenue.
It is no secret that mega breaches can cost companies hundreds of millions of dollars and force them to lose substantial percentages of their share value. In my experience, getting security to the right level on business-critical technologies can often involve expenditure at a rate that is close to the cost of the technologies themselves. Effectively, take the cost of the most vital technology that an organization needs to secure, and add on the same amount again. Frightening, isn’t it?
You might think the approach of matching tech spend with security spend is excessive, but think about it: between obtaining the right security advice, the security architecture, securing configurations, security testing, security gateways, anti-malware, data loss prevention, real-time security detection and alert and response capabilities, security gets expensive – and that is a major reason for many of the problems that are out there.
Most organizations understand that they need to spend at least 0.5-1% of revenue (or more) on managing their financial function – and the purpose of the finance function is to keep the money under control.
In the digital age, information and technology are a vital currency, and the cybersecurity function is the area that has the task of keeping those components secure.
DevSecOps and Security by Design
From my own experience, which includes running eight-digit cybersecurity budgets, executives still want to hear that appropriate security can still be achieved as an afterthought, as though it is a paint that can be applied at the end.
As an example, any organizations running out-of-date or unsupported software know they cannot keep those items secure without effectively disconnecting them ... preferably at the mains. Why would they keep running those systems, and what self-respecting infosec professional wants to try to apply security to them?
Whenever I have scratched the surface of any organization that has complained about having difficulty attracting or retaining cyber talent, it always turns out that they have a shockingly sub-standard approach to security. In many cases, those organizations are trying to hire the wrong skills into an under-resourced team to work on out-of-date technology. It should come as no surprise that good staff don’t want to work in those places.
Organizations that are effectively rolling out security by design, implementing what is widely referred to as a DevSecOps approach, are those who are becoming hard targets for hackers to compromise.
In summary then, if you want to know how to get cybersecurity right in 2019, make sure your organization has an effective CISO, reporting into the CEO, spends at least 1% of its revenue on cybersecurity, and is actually embracing the need for all of the critical technology to be based on implementing security by design throughout its lifecycle. That is the only kind of company I would consider working for – and there are still too few of them.