Credit: Tilting the Playing Field report
Cybercriminals have benefited from a disconnect between a company’s cybersecurity strategy and it’s execution, according to a new survey from Intel Security and the Center for Strategic and International Studies (CSIS).
In the corporate world, the vast majority — 93 percent — of businesses have a cybersecurity strategy. But less than half of businesses have fully implemented those strategies.
It becomes an even bigger issue because the majority of key employees — for example, IT execs — believe execution is complete when it sometimes isn’t. (See above chart).
From the report:
Our study also found that executives and operators disagree on the extent to which their cybersecurity strategy is actually implemented, as well as on the metrics used to evaluate the level of implementation. Executives tend to view their organization’s cybersecurity strategies as more fully implemented than operators. They are also more likely to evaluate the effectiveness of their cybersecurity strategies through the lens of broader organizational goals, including cost control and maintaining reputation, than operators who focus more on technical cybersecurity metrics.
The report identified three areas where incentives are misaligned:
Credit: Tilting the Playing Field report
Cybercriminals are innovative, quick and nimble. The same cannot always be said for defenders.
However, the report concludes, incentives can be changed:
Companies have successfully experimented with their business models and structure to become more dynamic and innovative in order to remain competitive. The same sort of experimentation is necessary if cybersecurity is to keep up with the attackers. This will require identifying the right metrics for success and revamping organization structure to build a nimbler, faster defense. In thinking about how to do this, the best approach may be to take lessons from the black hats on how to create effective incentives.
Read the full report here.