For the complete White Paper (“Angel Investing in Cybersecurity: Understanding the Technology”), please check out Mach37.com
Why is cybersecurity so hard? Lots of reasons of course, but they mainly boil down to asymmetries, business imperatives, and risk. Asymmetries present the key technical/structural challenges that put defenders at a disadvantage. Attackers need only one point of entry to your network to succeed; defenders need to defend all of them simultaneously. Defenders have to continuously trade off security measures with usability of the network and resources; the North Korean approach of just unplugging may provide perfect cybersecurity but not much in the way of usability. The rapid pace of technology change provides attackers with endless opportunities for new vulnerabilities; cybersecurity practitioners struggle just to keep up. And changes in usage patterns such as BYOD allow attackers to exploit inconsistent security measures across a range of device types.
|Asymmetry||Attacker Benefits||Defender Liabilities|
|Points of Entry||Any one of many||Must defend all simultaneously|
|Usability||Not a factor||Tradeoff between usability and security|
|Technology Rate of Change||New vulnerabilities||Continuous effort to keep up|
|Usage Trends (BYOD)||Inconsistent security measures across enterprise||Continuous effort to maintain secure configurations across many devices|
The business imperatives result from the fact that, in most cases, cybersecurity is a cost item to a business rather than a profit center or a revenue generator or a core competency. Cybersecurity budgets are subject to the same pressures as other overhead budgets in an organization, and attention to information security has only recently become a priority for C-Suite/Board members. A rapidly evolving regulatory environment may result in generalized improvement of security over the longer term, but in the short term may actually reduce spending on security in favor of regulatory compliance as those imperatives compete for the same budget. It also turns out to be quite difficult to determine the Return on Investment for cybersecuity spending; how much safer are you as a result of spending that additional dollar? For businesses the result tends to be a sporadic, budget-driven addition of cybersecurity capability, or an incremental replacement of old capability with new rather than a regular comprehensive evaluation of appropriate levels of security.
Finally there is the enterprise perception of risk, and risk management. Anecdotally, companies have significantly underestimated cybersecurity risk until after they have suffered a breach. Tools to measure technical levels of risk have also been slow to evolve. Over time, the combination of growing executive liability, an emerging insurance market, reductions in the stigma associated with disclosure of attacks, and the accumulation of public awareness is beginning to change the perception. Yet the priority assigned to cybersecurity based on the perceived threats to the enterprise remains generally low.
Thus cybersecurity is hard because of a combination of structural issues on the technical side and issues of budget, risk and priority on the enterprise side. Next week, Cyber101 will explore the market structure that has evolved given this external environment.