How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?

aaeaaqaaaaaaaad6aaaajgmwnzviy2myltbkywitngjhmy1hnjbllwnjm2q3mgy0ngvkywThis week’s post will introduce you to George Platsis, the newest member of SDI’s cyber team. George has an interesting educational background, with graduate degrees in Business Administration, Disaster and Emergency Management, Law, and Cybersecurity. He describes himself as a “practitioner-educator,” and his work focuses on what he terms “the people side” challenges of cyber and information security. What follows is excerpted from a series of pieces he posted on cybersecurity.

This week’s Episode will focus on one specific area of cyber security decision making: How do you spend your money? Or more accurately: Are you spending your money wisely? Let’s start with the obvious: cyber security is big business and will only continue to get bigger. We spent close to $75 billion USD in 2015 with projections showing that by 2020 we will be investing $170 billion USD in the field.

Similarly, the insurance industry (always looking to insure something) is predicting the “cyber insurance market” to grow from $2.5 billion USD in 2015 to $7.5 billion USD by 2020. (Personally, I think one big breach, followed by one nasty and huge class action payout, will make the “cyber insurance market” grow much more than what has been predicted.)

In 2014, in the U.S. alone, $25 billion USD and 1.2 billion hours were spent trying to deal with cybercrime, one in five small-to-medium businesses were affected, and some projections indicate that the cybercrime will cost core business over $2 trillion USD by 2019.

In other words, a lot of money is being spent, lost, sunk, or has drifted away into the ether.

Where the money is being spent is interesting though. According to IDC, an IT analyst firm, the hot areas for growth are security analytics / SIEM (10​%​); threat intelligence (10​% +); mobile security (18​%)​; and cloud security (50​%​).

My bias is already well known and declared: where is the investment in people?

A metaphor may be useful here.

Does a safe car make a safe driver? No. Reality is, in over 90% of car accidents, human error is the primary factor.

Does a secure network make a user act securely and safely in cyberspace? No. Reality is, in over 95% of cyber incidents, human error is the primary factor.

In the car accident scenario, did we go into some mass hysteria and start spending billions and billions of dollars into creating safer cars? No. The strategy was mixed. We continue to try to get bad drivers off the road, we invest in creating safer cars, and we focus a considerable amount of our efforts in driver safety awareness.

But the same cannot be said for cyber security.

As indicated above, in 2015, we spent about $75 billion USD on cyber security solutions. Of that, estimates show that only $1 billion USD was spent on educational security awareness solutions.

Let’s so some quick math: we spend 13% ($1 billion of $75 billion) of our total cyber security solution expenditure on an issue that is responsible for 95% of our problems.

Not sure if that makes for good business.

Read the rest of George’s post here. https://www.linkedin.com/pulse/how-do-we-succeed-cyber-security-battle-episode-iii-making-platsis?trk=mp-reader-card

 

 

active