Challenging the Perceived Lack of Incentives to Improve Cybersecurity

Cybersecurity Incentives.jpg

Is it a financially sound business decision for the industry to not invest in more cybersecurity? Recent news articles, congressional reports, and industry discussions have been cropping up around the community regarding the lack of incentives for companies to increase investments in cybersecurity.  With so many stories of breaches and attacks, affecting tens of millions of customers, could it really be true?

It is an interesting discussion, but I don’t buy into the viewpoint, citing data from recent breeches, the overall calculated security impact costs to companies is not significant enough to justify investments in better security.

First, a couple of things about the approach of the analytical comparisons.  The costs are being compared to the gross sales of the impacted companies.  I believe a more relevant approach is to compare the impacts against net profits and not gross sales, as these are overhead costs that take away from the bottom line.  In the end, it can make a lot of difference to management if an attack consumes a big chunk of your profit or worse, pushes you from the green into the red side of the ledger.  Secondly, most cost calculations don’t reflect the insurance premiums, which will be going up, that companies pay annually to be covered against breach related losses.  Very few consider the downstream effects of other vendors and business partners who are impacted and assume some of the loss.  Finally, there is no good way of determining the long term detrimental effects on customer goodwill.  Every customer has a breaking point, especially where there is significant competition and alternative choices vying for patronage.  Let me stop here, as all these criticisms are not the real point.  I believe the important aspects of this discussion are being missed altogether.

What disturbs me greatly is the lack of strategic vision.  The relevance of this topic is not determined by looking back at last year’s breaches and comparing them to that year’s annual budget, sales, or profit.  It is far too shortsighted.  It is like evaluating the value of investing in braking technology when the automobile first emerged.  They really didn’t have anything we would consider a practical way of stopping well.  The cost of developing braking systems probably seemed extreme if they looked back on the previous year and calculated the low costs of accidents, few vehicles, and considered customers were still happy to just own one.  But as cars got faster and more people began taking to the roads, the situation changed fast.  Developing reliable brakes on automobiles became important.  The electronic ecosystem is moving much faster.

Instead of looking back, we must have the vision to see where the trend and acceleration of the evolving events will take us.  As the world quickly becomes more reliant and integrated with technology, attacks will have a greater corresponding effect.  What is needed is an analysis which shows over time the inclination of attack frequency, direct losses, recovery costs, and secondary impacts such as the erosion of customer goodwill and additional regulatory hurdles.  Then extrapolate this against how technology will expand in size, permeate our lives, and how it will push an increase in the value of data and services.  This will drive ever greater potential impacts.

The current inconvenience experienced by customers may transition to frustration and over time, to true dissatisfaction.  Someone having to swap out an old credit card with a replacement in their wallet is no big deal.  But what if their car won’t start, their credit is cratered when they are trying to buy groceries, a prescription is filled with the wrong medication, their smartphone stops working, or their retirement account is emptied?  Everyone has a threshold where purchasing decisions and brand loyalty will falter.

Not too far in the future the types of impact may drastically change.  As attacks shift from relatively simple denial-of-service and data breach attacks, which are fairly straightforward to recover from, to more complex attacks which tamper with the integrity of internal transactions, we will see costs and impacts skyrocket!  It is coming (I would say we are already crossing this boundary with the Carbanak malware stealing a billion dollars from banks).

We must consider how the losses will viewed as we approach the technology cliff where future cybersecurity issues will put people’s lives in harm’s way.  What happens when cars (driverless or not) are hijacked and under the control of hackers, industrial safety systems are compromised leading to disaster, or defense systems are taken over by unfriendly groups?  All of which we are also seeing either happening or research showing proof-of-concept success.

In the end, the axiom holds true: Security is only relevant when it fails.  Cybersecurity investment is future facing.  Calculating the cost incentives of past failures is not nearly as interesting as mapping the trajectory of where they will be in three or five years.  A lack of investment now, places these organizations on a path of great losses in the future.  The real conversation should not be about the lack of current incentives, but the analysis of what the future incentives will become.

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

Published on Categories SecurityTags ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.