Although cybersecurity expenditures continue to increase, confidence among cyber defenders remains low and many express dissatisfaction with the current state of cybersecurity, calling into question the current state of security efforts, according to a new report by the RAND Corporation.
The RAND’s 162-page study, The Defender’s Dilemma: Charting a Course toward Cybersecurity, sponsored by Juniper Networks, is the second report in a multi-phase study examining the future of cybersecurity. The report contains the insights of a number of chief information security officers (CISOs) on how organizations can combat the rising tide of network intrusions. It follows a predecessor report, Markets for Cybercrime Tools and Stolen Data: Hacker’s Bazaar.
RAND’s newest report paints a bleak picture of the current state of cybersecurity. One CISO said, “It will get worse before it gets better, and I do not know if things will get better.”
Research firm Gartner estimates worldwide cybersecurity spending near $70 billion, and that number will continue to grow roughly 10 to 15 percent annually with no deceleration in sight. Despite the increased investment in cybersecurity, CISOs believe hackers are gaining the upper hand.
“It would be an understatement to say that organizations are dissatisfied with existing cybersecurity—and there is scant confidence among defenders that their exertions will give them the upper hand against malicious hackers two to five years out. Many believe that hackers are gaining on defenders,” the report stated.
Based on interviews with 18 CISOs, RAND researchers confirmed a number of findings RAND expected, including that security postures are highly specific to company type, size, etc.; quarantining certain parts of an organization offline can be a useful option; and responding to the desire of employees to bring their own devices and connect them to the network creates growing dilemmas.
However, researchers were surprised to learn a cyber attack’s effect on reputation, rather than more direct costs, is the biggest cause of concern for CISOs. In fact, two-thirds of those surveyed specifically mentioned loss of reputation as the greatest possible fallout from cyber attack. In particular, the respondents worried about a damaging attack compromising consumer information, saying attacks on them are attacks on their clients.
The recent data breaches of Sony Pictures and health insurer Anthem, for example, illustrate the damage that a cyber attack can inflict on a company’s reputation and their relationship to their clients.
“A successful attack could undo the vast amounts of advertisement and effort put into creating and preserving a company’s image,” the report stated. “Those who worried most about reputation were afraid of cyber attacks that compromised confidentiality of customer data—an increasing concern given that personal information is becoming the raw material that corporations refine into sales.”
Despite the rising number of high-profile breaches and their impact on an organization, cybersecurity remains a hard-sell, especially to chief executives. One CISO told RAND, “No attacker is going to call up a company and tell them what a good job they are doing at keeping them out,” so chief executives often only pay attention to cybersecurity when they are forced to.
Although RAND indicated CEOs will come to focus more on cybersecurity over time, this transition will be a gradual one. The report stated, “The consensus was that CEOs will be forced over time to deal directly with cybersecurity and to become more confident that they can weigh in intelligently, but this transition will not happen overnight.”
One of RAND’s suppositions that was validated by the interviewed CISOs is that customers look to extant tools for solutions even though they do not necessarily know what they need. Furthermore, a number of the respondents stated they were not looking for a “magic wand” or “silver bullet.”
In answer to the question of what they would do if they had more money to spend on cybersecurity, CISOs overwhelmingly focused on human centric solutions, such as more staff and improved cyber awareness training. CISOs are right to focus on the human factor, according to the researchers, since “unwitting human users are often weak point in an organization’s defense.”
The researchers concluded, “Tool solutions vary, humans in the loop are still a large factor in the security equation, and perception matters a great deal—sometimes more than the actual substance of an attack. The best practice is not necessarily the optimal practice, and there is no silver bullet against hackers.”
One of the biggest challenges in choosing new tools and solutions is that attackers are constantly developing countermeasures to new security technologies.
"Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker,” said Lillian Ablon, co-lead author of the report and a researcher at RAND. “Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research."
Based on the report’s findings, the researchers provided a number of recommendations for organizations to improve their cyber posture, including knowing what needs protecting, knowing where to devote resources to best protect the organization, considering the potential for adversaries to employ countermeasures, and that government should be prepared to play a role by building a body of knowledge on how systems fail and what to do to prevent those failures, and then sharing that information.
Despite the waning confidence among cyber defenders, Martin Libicki, the report’s co-author and senior management scientist at RAND, believes that, paradoxically, the pessimism expressed over the current state of cybersecurity affairs is also a cause for hope.
“Despite the pessimism in the field, we found that companies are paying a lot more attention to cybersecurity than they were even five years ago,” said Libicki. "Companies that didn’t even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them. Core software is improving and new cybersecurity products continue to appear, which is likely to make a hacker’s job more difficult and more expensive."
