There is a huge disconnect between actual cybersecurity engagement and perception of cybersecurity engagement. A couple of weeks ago, I pointed out how your customers overestimate your cybersecurity protections and are willing to trust you are keeping their sensitive information secure (and we customers think that we know a lot more about security than we really do).
Now, a new study from Intel Security shows the security disconnect inside an organization. The report, Tilting the Playing Field, examined the misalignments between executives and security operators. It stated that one of the reasons cybercriminals have the advantage is because the incentives between the attackers and the defenders are mismatched.
Intel Security looked at three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus those in implementation roles. What the report found was that 60 percent of IT executives believe their cybersecurity strategy is fully implemented but only 30 percent of IT staff agree. Not surprising, since executives are much less likely than their staff to view shortfalls in funding and staffing as causing problems for the implementation of their cybersecurity strategy.
Also, 54 percent of executives are more concerned about reputation rather than cybersecurity – something I’ve seen a lot, and it continues to surprise me. Data breaches and security incidents wreak havoc on a company’s reputation, so it would seem that there’d be even more incentive to deploy security systems in order to prevent reputation losses.
Speaking of incentives, cybercriminals are at an advantage, as SC Magazine UK reported:
And while cyber-criminals have a direct incentive for their work, the survey not only shows that are there few incentives for cyber-security professionals, but that executives were much more confident than operational staff about the effectiveness of the existing incentives. For example, 42 percent of cyber-security implementers reported that no incentives exist, compared to only 18 percent of decision makers and eight percent of leaders.
As Candace Worley, vice president of enterprise solutions for Intel Security, said in a formal statement:
The cybercriminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools. For IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba