Companies are starting to panic. Day after day, week after week, CISOs and IT professionals hear the same refrain: Attackers are gaining ground, and defenders simply don’t have the technical know-how and funding to push forward and take back lost territory. According to SecurityWeek, which was diving into a new report from the RAND corporation, money and expertise aren’t the problem: Leadership is lacking. As a result, “defenders responsible for protecting corporate and personal data are unprepared, overwhelmed and unsupported.” But is it possible for CISOs and other executives to step up and take command, or was this a losing battle from the start?
Funds and Failures of Leadership
As noted by the RAND report, “The Defender’s Dilemma,” even with security spending set to reach $70 billion annually, “chief information security officers (CISOs) feel they are treading water at best — investing more money in security without feeling any more secure.” They’re worried that attackers are gaining on defenders and concerned they haven’t invested budgets wisely. What if a new subset of data is targeted or employees accidentally download malicious third-party apps onto corporate-connected mobile devices? The sheer number of attack avenues often leaves IT departments paralyzed, certain they must do something but unable to choose what.
Consider what’s happened to the U.S. Office of Personnel Management (OPM), which according to NBC News has suffered data loss totaling millions of records spanning current and former federal employees along with citizens who applied for security clearances. Critics say the embattled head of the OPM hasn’t displayed any kind of leadership or a sense of urgency when it comes to these cybercrimes. The director, meanwhile, raises the issue of budgetary constraints, claiming that without enough resources it’s not possible to mitigate the threat of cyberattacks. It’s a game of blame and brinkmanship — no one wants to take responsibility because no one really knows the cause.
Attacks and Retaliation
The RAND report points out that current landscape in corporate security can be traced to the adversarial dynamic of measures and countermeasures. Attackers need only find a single loophole to exploit corporate vulnerabilities and steal valuable data, while security teams are responsible for the constant monitoring of their entire network for new threats, along with developing ways to counter existing problems. This job becomes even more difficult thanks to chronic underfunding of IT security efforts, which is common because it’s so difficult to link prevention and ROI — how can something that’s not happening drive revenue? CISOs and other security leaders, therefore, are dealing with pushback on both sides.
The People Project
So how do companies change the security dynamic? According to the RAND report, investing in people-centric technologies is the first step. By spending on tools to automate security management, advance training for existing staff and even hire new professionals, companies significantly reduced their long-term operational costs for security management. Moving forward, however, requires a rethinking of the current attack/defender landscape.
What’s the biggest challenge for IT security? Guarding a mutable and ever-expanding network border. The problem? This isn’t difficult but impossible — no matter how many guards hired or walls built, some portion of the border will always be left undefended, presenting the perfect opportunity for cybercriminals. For CISOs and other security executives to truly tap leadership potential, teams need a change of focus: It’s not about reclaiming virtual ground or planting corporate flags — it’s about meeting attackers head-on and tackling challenges as they arise. By investing in staff training and tools to recognize aberrant behaviors in real time and empowering them act immediately, companies can toss aside old notions of territory and tenacity, instead focusing on drilling down to capture rogue processes the moment they appear.
Companies can’t win the cybersecurity war with bigger budgets and the same old strategy. People-centric technologies empowered by true leadership, however, could turn the tide.