The call for immediate actions to address cybersecurity is reaching the top levels of global organizations. Cyber risk jumped from 12th to 3rd place in Lloyd's Risk Index 2013, which polled 588 C-level executives and board members at multinationals in April and May of last year. The top five concerns were high taxation, loss of customers, cyber risk, price of material inputs and excessively strict regulation.
As discussions about cyber risk heat up boardrooms, are global organizations spending more on cybersecurity? And are they investing in the right security controls? "My CIO asked me that same question last week," said George Do, global information director at Equinix, an International Business Exchange data center and colocation provider, with operations in 15 countries.
The problem is no one in information security can really answer these questions. Cyber risk remains a challenging calculation because information sharing about the cost of data breaches is limited, and the InfoSec industry can't agree on how well security controls perform. "We can't answer how many viruses antivirus catches," said Anton Chuvakin, research director at Gartner IT security and risk management. "People say, 'Well, we don't know.' Some people quote numbers: '10%' or '90%.' And this is trivial, narrow and tactical, and there is no answer."
Most InfoSec professionals can agree technology is no panacea. With the right combination of people, process and technology -- maximized with threat intelligence and risk assessment -- companies can respond to early warnings about malicious activities that could damage their infrastructure, reputation, brand and legal standing.
"Last year's Verizon DBIR had the numbers that we typically see: 78% of incidents were low-complexity and exploited well-known vulnerabilities or problems that were known about -- and weren't fixed or shielded," said John Pescatore, director of the SANS Institute.
The value of threat intelligence is that it can help prioritize risk and, therefore, a security team's actions. But taking advantage of threat intelligence services requires accurate knowledge of the state of the organization's vulnerabilities. "If I know that I'm not using OpenSSL, I don't care about Heartbleed. I'm not vulnerable -- the threat information tells me nothing," Pescatore said.
Verizon 2014 Data Breach Investigations Report continues to show that most data breaches are detected by third parties outside of the victimized organizations. Attackers are also using more evasion techniques in terms of encryption and are able to stay inside of compromised systems longer, exfiltrating data while avoiding outbound detection.
Cyber risk is the recurring theme in this month's issue. "In the balance: How much cybersecurity is enough?" looks at the use of threat intelligence in risk assessment. "Cyberthreat intelligence is getting crowded" offers an update on community-based threat intelligence services, and columnist Pete Lindstrom analyzes the value of PCI requirements in reducing risk in "Is the PCI Data Security Standard working?"
Enjoy this issue, and let us know how you assess cyber risk and strike a balance between cybersecurity and the cost of doing business.
About the author
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this column to firstname.lastname@example.org.