Did you know that six years ago, cybersecurity didn’t even rank in the top ten risks prioritized by company boards? Today, we live in a world where cybercriminals seem to have the advantage as they continually find new ways to steal sensitive information. Despite organizations across the globe spending more than ever to manage cyber risk, attackers continue to get through.
So, what has caused cybercriminals to now have the upper hand? This is exactly the question that is answered in a recent report by Intel Security and McAfee. These new findings tell us that it could come down to misaligned incentives between the attacker and the defenders. For MSPs, this presents new opportunities to restructure services and internal processes to incentivize innovation and improve security services.
What Causes Misaligned Incentives in IT?
The study identified a few key contributors to misaligned incentives. The first is rigid corporate structures. Corporate bureaucracy puts cybersecurity professionals at a disadvantage against their adversaries because they must work within strict constraints formed by governance, risk management and structure workflows. In contrast, cybercriminals have significant flexibility through freeform, ad-hoc networking. Thus, the defenders are at a slight disadvantage and don’t have the opportunity to meet the attackers on the same playing field.
Strategy versus implementation is another problem commonly encountered in large organizations, the report found. While 93 percent of respondents have plans in place for current and future threats, they may not be as comprehensive as the executives believe. Cyber-defense operators feel the strategies in place primarily address current threats, but emerging exploits and security holes are not handled appropriately, which leaves the companies at risk for innovative attackers.
Executives and operators often use different key performance indicators to measure success, which also creates internal discord. Front-line cybersecurity professionals measure success by looking at their overall breach incidents, conducting penetration testing, calculating cost of recovery and performing vulnerability scans. The executives are primarily concerned with general performance numbers and the costs associated with these procedures.
Lastly, cybersecurity teams lack the incentives and rewards their adversaries receive. Cybercriminals get a big payoff when they successfully receive a ransom or breach a system. They have the tools to experiment with new methods to beat the security systems in place, while internal IT teams are often restricted by corporate bureaucracy.
Author: Scott Spiro