Each year between November and January of the following year, headlines relating to cybersecurity are dominated by predictions of what’s to come. Annual threat reports by companies like Verizon, McAffee, Microsoft, and other well-known players in the tech industry outline the latest trends in who the bad guys are targeting and by what means. The contents of these articles and reports all agree with each other (for the most part) and converge on the single idea that there is risk in using technology.
While the methods used by hackers evolve at a rate that seems to outpace technology’s advancement, they all boil down to the same small handful of threats. They use deception, exploitation of flaws in technology, and exploitation of holes in physical security to gain control of sensitive information. The sources of those threats also remain largely the same. A company’s own employees remains among the most common source of threats, along with activist hackers, state-sponsored professionals, and run-of-the-mill criminals looking to make some dirty money. These components in the annual reporting never really change.
What does change is the attack of choice by the various wrong-doers. As time goes on, they adapt to using techniques and targeting victims that will give them the greatest chance at success. The cybersecurity industry focuses heavily on those techniques and victim categories each and every year like a herd of deer enthralled with rapidly approaching headlights.
What are they saying?
The majority of the predictions for the coming year will state several things. Chief among them are that enterprise IT will continue moving to the cloud, hackers will be more selective in singling out high-value targets, ransomware is still at thing, phishing and spam email are still being used as a primary means of distributing malware, and scammers are continuing to get more creative.
Incident reports coming from the major IT players will most certainly reveal that cyber-attacks are on the rise, one industry or another has become this past year’s primary target, ransomware (the current malware of choice) is a serious problem, unpatched computers are a serious problem, and your own employees are a serious threat. They change the format from year to year, but essentially always say the same thing.
What is being ignored?
Sure, talking about the emerging trends gets people excited. It can be scary to see the preposterous numbers associated with the frequency of attacks, the number of people compromised, and the dollar amounts lost as a result. Almost nobody is talking about the trends in the global commitment to having better security. In fact, this topic is has not been thoroughly surveyed or reported on by any of the major players who generate annual cybersecurity reports.
Some recent publications, such as the 2019 Evolving Business Models in the Global Security Industry report, touch on the number of organizations with internal security teams, but that only scratches the surface. And with recent changes around the world requiring businesses to take responsibility for their cybersecurity, such as the GDPR in the EU and California’s recent move to mandate “reasonable cybersecurity measures” on internet-connected devices, it stands to reason that you might see more and more organizations having cybersecurity programs. But simply having a cybersecurity program does not mean an organization is more secure.
Adoption of cybersecurity in business
There are three fundamental reasons for any company to have a cybersecurity program:
- Law requires it
- Stakeholders expect it
- Leadership believes it’s necessary
The first two reasons are externally-driven. They can result in organizations falling into the compliance trap. In other words, they do only what they are required to do so they can check a box and make someone else happy who expects them to do at least something. These two reasons do not require that the organization believes security is necessary. They also don’t require that organizations actually implement effective security programs that are properly tailored to their unique business. They only require that organizations do at least enough to keep the oversight trolls off their back so they can get back to making money.
The final driver for implementing cybersecurity is the one that counts. Just as the head guides the horse, the effectiveness an organization’s cybersecurity program is only as good as its leaders’ commitment to it. If leaders truly believe that security is valuable and important, then and only then will the organization have the opportunity to build a cybersecurity program that is most beneficial to all.
What should be we tracking?
There is value in expanding on surveys that look into how many companies are implementing their own cybersecurity programs. This is a metric that would hopefully show an adoption trend year over year. What I believe would be more valuable, though, is to survey executives so that we can track how their attitudes towards cybersecurity evolve.
Having worked under various executives, each possessing a different opinion about the value of cybersecurity, I can personally attest to how the overall effectiveness of security efforts are affected by leaders’ attitudes towards them. I wholly believe that if we were to track how companies leaders embrace the need for cybersecurity, as opposed to simply doing what they must in order to appease shareholders or government rules, we would see a correspondence with the success and magnitude of attacks.
I predict that a greater number of organizations will implement cybersecurity programs in the coming years. Many will do it because they don’t have a choice. Some will do it because they believe it is in the best interest of their company and truly has value. The later will be mostly successful in reducing the impact of threats to their organizations. If the number of executives who value cybersecurity grows, the overall loss from cyber-attacks will begin to be reduced. Will I be correct? We may never know without the metrics to challenge my predictions.