A report from Intel has highlighted how the lackadaisical defence strategy and implementation put cybercriminals at an advantage.
The latest survey by Intel Security and Centre for Strategic and International Studies (CSIS), participated by 800 cybersecurity professionals from five industry sectors, has exposed how misaligned incentives and overconfidence of executives benefit the cyber criminals.
Figure 1: The state of misalignment: While cybersecurity risk is more of a concern than ever for enterprises, there are fault lines in risk management, team incentives and inherent in how attackers operate versus how defenders manage themselves.
The report, “Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity,” defined three categories of misaligned incentives that include corporate structures versus the free flow of criminal enterprises, strategy versus implementation and senior executives versus those in implementation roles.
The report has highlighted how cyber criminals take advantage on a fluid and decentralised market while bureaucracy constrains defenders. Misalignments also occur within defenders' organisations. For instance, while more than 90% of organisations report having a cybersecurity strategy, less than half have fully implemented them. Moreover, 83% say their organisations have been affected by cybersecurity breaches, indicating disconnect between strategy and implementation.
Other misalignments include underfunded and understaffed cybersecurity strategy, lack of incentives for cybersecurity professionals and false sense of security.
The report has suggested ways the defender community can learn from the attacker communities like opting for security-as-a-service to counter cybercrime-as-a-service, using public disclosure, increasing transparency, lowering barriers to entry for the cyber talent pool and aligning performance incentives from senior leadership down to operators.
Figure 2: An Intel Security illustration: Lessons from the criminal market vs. defender's analog.