We can’t stop spending on cybersecurity in favour of cyber-insurance, say Deloitte researchers at Black Hat, Las Vegas
Despite the cybersecurity industry’s acceptance that it’s ‘when not if’ an organization suffers a data breach, Deloitte Cyber Risk Services researchers Scott Keoseyan and Keith Brogan told Infosecurity that the $75bn annual spend on cybersecurity is not wasted dollars.
“Sometimes products don’t work. But more often, they’re not being used correctly,” said Brogan, senior manager at Vigilant by Deloitte. “Organizations don’t always focus on how to use the products to enable business,” he lamented, insisting that people need to take threat intelligence, give it to the right people, and use it in informed, considered ways.
When asked why organizations are still getting breached despite the $75bn spend, threat intelligence lead Keoseyan credited the adversary for finding new ways to exploit advances in a fast-evolving technical world. “We’re changing how we’re doing business so quickly, and the risk profile is growing,” he said. “We want to make security easier, but people are demanding more from technology so it is becoming more and more complex.”
Security practitioners are held to a much higher standard than the cyber-criminal, said Keoseyan in defense of the cybersecurity industry. “They have to get it consistently right, whereas the cyber-criminal only has to get it right once.”
“The cybersecurity industry is guilty of shouting ‘the sky is falling’,” said Brogan, but that’s a result of 15 years of historical under-investment. “We’ve had to shout loud to get attention,” he admitted.
Both Brogan and Keoseyan denied that too much or too little is being spent on cybersecurity, and instead argued that “security dollars aren’t wasted, but we’re not making enough of investments or using the intelligence to make decisions on which investments to make. Organizations need to spend their security dollars based on threat intelligence.”
In contrast to Jeremiah Grossman’s insistence that cybersecurity vendors should offer their customers guarantees, Keoseyan insisted that vendors can’t be held responsible for how a product is implemented. “Vendors can only do so much. If a product isn’t implemented properly, or if the customer ignores the intelligence a product offers, vendors can’t be held responsible,” he argued.
Deloitte have recently released a report called ‘Beneath the surface of a cyberattack’. The report aims to investigate the real cost of a cyber-breach. “Think of a cyber-breach as being like an iceberg,” explained Brogan, “the tip is the cyber-breach, and all the iceberg beneath the water is the damage. It’s more than just financial damage, it’s reputational damage, it’s the changes in internal culture and management. How can you quantify that?”
This ambiguity is one of the reasons why cyber-insurance is an extremely complicated business, the Deloitte researchers said. “Insurance pay-outs won’t cover the actual cost – it’s so much more than just financial damage. Insurance companies will have to manage their own risks, by looking at an organizations protective measures and history. We cannot stop spending on cybersecurity in favour of cyber-insurance” they concluded.