Are Enterprises Really Too Far Behind on Cybersecurity?

The Information and cybersecurity field can be a sea of numbers, so it’s not surprising to see – almost on an everyday basis – articles published that spits out numbers like a lottery ticket machine. One recent article on SecurityMagazine.com caught the eye of SecureState.

The article under the microscope was posted May 19, and revealed the findings of a new Ponemon Institute survey. The focal point – to shed light on the lag time it takes both the retail and financial industries to identify advanced threats once those threats are inside their networks. The article points out the “dwell” time for Financial is 98 days, while Retail takes 197 days. These glaring numbers had this author wondering, what are the response times for the other industries, and if it might be a bit unfair to target financial and retail.

So I did some digging. The 2015 Trends Report, along with The 2014 Threat Report – both published by the cybersecurity firm Mandiant – shows a positive trend as an industry whole, with a 16 percent increase in the success rate of data breach discovery, over the past three years:  2014 (205 days), 2013 (229 days), 2012 (243 days). Thus, judging by these numbers, financial and retail are actually ahead of the curve.

Another point the article claims is organizations need to invest more in security staff and tools.

Sounds logical enough, so I looked into that as well.  I dug into the 2015 Global State of Information Security Survey, authored by Pricewaterhouse Coopers, which estimates organizations are spending roughly four percent of their IT budgets on security. A low number, yes, and actually reversing a three year trend of increasing security budgets. However, in North America, security budgets remain on the rise, while financial loses from 2013-2014 declined. This could be a direct correlation.

So then, the argument of Capex (Capital spending) versus Opex (Operational spending) comes into play. Do these businesses spend a chunk of money on a piece of equipment they believe will better protect their systems, or earmark it for employees and further training?  A perfect example of this is Home Depot. The do-it-yourself retailer hired its first ever CISO just months ago, after falling victim to a breach in 2014. More and more organizations are realizing putting someone specifically in charge of their security is the better path to protection. It ultimately comes down to the Principle of Three Forces – Time, Resource and Change.

Here’s one other morsel of food-for-thought. The better all industries get at discovering data breaches, the faster they place themselves in the cross-hairs of the media. It is a definite Catch-22 for any organization to admit they’ve been breached, knowing they’ll become a victim of the media meat grinder.