Industry Perspectives

Cybersecurity's Poverty Gap

Jul 06, 2016 | by Zulfikar Ramzan, PhD. |

As we pass the halfway point of 2016, the United States Presidential election process is in full swing. Candidates continue to make the case for why their worldview is in the best interests of the nation. Perhaps no other topic polarizes the candidates and receives more prominence in this context than wealth inequality.

Within cybersecurity, there appears to be a corresponding notion that I'll term the "cybersecurity poverty gap". This concept and similar insights are derivatives of RSA's 2nd annual RSA Cybersecurity Poverty Index, which involved surveying 878 individuals (more than double the number of participants from last year) across 81 countries and over 24 industries with regard to the maturity of their cybersecurity program.

One of the most unsettling data points from this year's survey is that three-fourths of respondents felt they had significant cybersecurity risk exposure. From reviewing the data, the concerns appear to stem from a misallocation of resources when it comes to security spending. The strongest reported maturity levels among our respondents came in the area of Protection - a mainstay in conventional security doctrine. At first glance, this result seems reasonable; after all, the conventional wisdom has dictated that an ounce of prevention is worth a pound of cure.

Unfortunately, blindly following the "protection doctrine" is foolhardy given the nuances of today's threat landscape. Attackers with even a modicum of ability bypass traditional preventative measures with alarming ease. After all, what attacker in their right mind will develop a threat will be easily detected the day it's released? Readily available attack tools facilitate the creation of targeted threats. Many can be accessed as SaaS offerings for a small price - payable in Bitcoin, of course!

Given this new world order, increased investment in Detection and Response is the only sensible way forward. That said, Response, which along with Detection, is an increasingly necessary part of a holistic security strategy, was ranked last in maturity by our survey respondents.

In this vein, we found a disconcerting bifurcation of respondents. Those who allocate their investments appropriately to account for detection and response are on a path to improved cybersecurity maturity, while those who continue to allocate their budget disproportionately towards prevention are falling further and further behind. The chasm between the cybersecurity "haves" and the "have nots" is widening at a troubling rate.

I strongly encourage you to download the survey results and, beyond that, to complete the survey yourself so that you can reflect upon your capabilities and establish benchmarks for future comparison. If the current presidential election cycle has told us anything, it's that we collectively have numerous fundamental issues to address. In a similar sense, the cybersecurity issues in front of us continue to increase in importance. The stakes are too high to ignore them. We owe it to ourselves and to the customers we serve to ensure that we're doing everything within our means to address the cybersecurity poverty gap.