A recent and exhaustive report by non-profit research and analysis firm RAND Corp. included some interesting and somewhat discouraging findings regarding the state of corporate information security.
The study, "The Defender's Dilemma: Charting a Course Toward Cybersecurity" says organizations are spending greater amounts of money on cyber security products. But they are not convinced that their data is truly secure, and many CISOs think attackers are gaining on their defenses.
Charting the future of information security “is difficult because so much is shrouded in secrecy; no one is entirely certain of all the methods malicious hackers use to infiltrate systems, and businesses do not want to disclose their safety measures,” according to the report.
The study was conducted within the Acquisition and Technology Policy Center of the RAND National Security Research Division—which conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security and intelligence communities and foundations and other non-governmental organizations that support defense and national security analysis. It’s based on interviews RAND conducted with 18 CISOs.
Despite the fact that worldwide spending on cyber security is nearly $70 billion a year and growing at 10% to 15% annually (based on market research findings by Gartner Inc.), many security executives are concerned that hackers might gain the upper hand within two to five years, the report notes. This will require “a continual cycle of development and implementation of stronger and more innovative defensive measures.”
Organizations know what they are spending on cyber security, but quantifying what they are saving by preventing malicious attacks is much more difficult to calculate, says Lillian Ablon, co-lead author of the report and a researcher at RAND. Because malicious hackers can be extremely sophisticated, any costly measures put in place to improve security can spur countermeasures by hackers, she says.
"Cybersecurity is a continual cycle of trying to eliminate weaknesses and out-think an attacker,” Ablon says. “Currently, the best that defenders can do is to make it expensive for the attackers in terms of money, time, resources and research."
There is some positive news in the research, however. "Despite the pessimism in the field, we found that companies are paying a lot more attention to cyber security than they were even five years ago," notes Martin Libicki, co-lead author of the study and senior management scientist at RAND.
"Companies that didn't even have a chief information security officer five years ago have one now, and CEOs are more likely to listen to them,” Libicki says. “Core software is improving and new cyber security products continue to appear, which is likely to make a hacker's job more difficult and more expensive."
The RAND researchers note that they were surprised by some of the report findings. For example, they found that it was the effect of a cyberattack on reputation, rather than direct costs, that concerned most security executives. In other words, it matters less what actual data is affected by a breach than the fact that any data is put at risk at all.
And at a time when there is lots of talk about government and the private sector sharing information about security threats, RAND says most of the security executives interviewed for the report said they were not interested in government efforts to improve cyber security.
But the researchers think government could play a useful role in helping bolster security. For instance, a government guide outlining how systems fail “could help build a body of knowledge to help educate companies, with the goal of developing higher levels of cybersecurity,” the report says.
RAND as part of its research created a framework that shows the struggle organizations have in minimizing the costs of insecurity in cyberspace over a 10-year period. These costs include losses from cyber attacks, the direct costs of training users, and the direct cost of buying and using cyber security tools.
Other costs need to be factored in as well, the firm says, including the indirect costs associated with restrictions on employees using their personal devices on company networks and the indirect costs of “air-gapping”—making sure a computer network is physically isolated from unsecure networks.
The study makes several basic recommendations for organizations to bolster their information security posture. One is to know what needs to be protected, and how badly protection is needed. Another is to know what systems and devices are on the network, what applications they are running, what privileges have been established, and with what state of security.
Organizations should also know where to devote their efforts to protect the organization. “A core choice for companies is how much defense to commit to the perimeter and how much to internal workings,” the report says. “Attackers often establish a persistent presence in networks when an employee opens a bad attachment or goes to a malicious Web site. Once penetrated, weaknesses in other code enable the malicious code either to execute its own instructions or obey those of the attacker.”
Having better code would make this process much more difficult, the report says, “but infections are possible even with better code, so multiple tools must be employed.”
Finally, consider the potential for adversaries to employ countermeasures. “Mounting a defense is a necessary first step,” the report notes. “But as defenses are installed, organizations must realize they are dealing with a thinking adversary and that measures installed to thwart hackers tend to induce countermeasures, as hackers probe for ways around or through new defenses.” Companies should consider measures of the sort that are less likely to attract countermeasures, it says.