Posted on 05/03/2017 - TI INSIDE
Intel Security, strategic partner of [SAFEWAY] in partnership with the Center for Strategic and International Studies (CSIS), released the “Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity” (Unbalancing the field: how misaligned incentives work against cyber security), a global report and research revealing three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus professionals in implementation roles. The report highlights ways in which organizations can learn from cyber criminals to correct these misalignments.
Based on interviews and a global survey with 800 cyber security professionals from five industry sectors, The report describes how cybercriminals are at an advantage, thanks to cybercrime incentives that generate big business in a flexible and dynamic marketplace. Advocates, on the other hand, often operate in bureaucratic hierarchies, which pressures them intensely to keep up with demand.
Additional misalignments occur within advocacy organizations. For example, while over 90% organizations report having a cyber security strategy, less than half fully implemented them. In addition, 83% said their organizations were affected by cyber security breaches, indicating a disconnect between strategy and implementation.
And while cybercriminals have a direct incentive to do so, the research not only shows that there are few incentives for cyber security professionals, but also that executives were much more confident than the operational staff about effectiveness of existing incentives. For example, 42% of cyber security implementers reported that there are no incentives compared to just 18% of decision makers and 8% of leaders.
"The cybercriminal market is poised for success because of its own structure, which quickly rewards innovation and promotes sharing of the best tools," said Candace Worley, vice president, Enterprise Solutions, Intel Security. “In order for cyber and IT professionals in government and business to compete with attackers, they need to be as insightful and agile as the criminals they seek to capture, and offer incentives that value the IT staff.”
“It's easy to make a strategy, but it's hard to execute,” says Denise Zheng, director and senior member of the CSIS technology policy program. “How governments and businesses approach and address their misaligned incentives will dictate the effectiveness of their cyber security programs. It is not a question of what needs to be done, but determining why is not being done and how to do it better. ”
Other decisive conclusions of the report include the following:
Non-executives are three times more likely than executives to view financial and human resource deficits as causing problems in implementing their cyber security strategy.
Although incentives for cyber security professionals are lacking, 65% are personally motivated to strengthen their cyber security organizations.
95% organizations have already suffered the effects of cyber security breaches, including disruption of operations, loss of IP, damage to reputation and brand, among other effects. However, only 32% reported experiences of loss of profit or revenue, which may lead to a false sense of security.
The government sector was the least likely to report having a fully implemented cyber security strategy (38%). This sector also had a larger share of agencies with inadequate financial (58%) and human (63%) resources compared to the private sector (33% and 43%).
The report also suggests ways in which the defense community can learn from attacker communities.
That includes:
- Opt for security-as-a-service to combat the cyber crime model as a criminal market service.
- Use public disclosure.
- Increase transparency.
- Reduce entry barriers to the cyber talent pool.
- Align performance incentives from senior leadership to operators.
The good news, according to the report's authors, is that most companies recognize the seriousness of the cybersecurity problem they are willing to address. Organizations need more than tools to combat cyber attackers; Experimentation is needed to determine the right mix of metrics and incentives for each organization as they approach cybersecurity as more than just a cost conscious structure and become more innovative in their organizational structure and processes.
