ENCRYGMA:" Cybersecurity is failing because the technology is not as effective as it needs to be"
Updated: Jul 5
LEAVE NO TRACE
Cybersecurity is failing because the technology is not as effective as it needs to be
Cybersecurity is failing. Spend on cybersecurity is increasing every year (+58% over the past five years1), yet as the WEF has highlighted, business leaders still identify disruption from a cyberattack as one of the top 5 growing risks in 2020 (and while the exact numbers are contestable, the direction is clear).
A major cause of this failure is that the technology is not as effective as it needs to be, and this is the view shared by 90% of over 100 highly qualified research participants in this study. While there has been a strong focus on improving people and process-related issues in recent years, - which are also undoubtedly contributors to cybersecurity failings - technology problems have in some way been accepted as inevitable and the norm.
As one Chief Information Security Officer (CISO) put it, “we buy it, and then we cross our fingers and hope the technology will work”. Trust in cybersecurity technology to deliver on its promise is low. Without improving technology efficacy, cybersecurity will continue to fail. Participants in this research broadly agree that four characteristics are required to comprehensively define cybersecurity technology efficacy. These are the Capability to deliver the security mission (fit-for-purpose), Practicality in operations (fit-for-use), Quality of security build and architecture, and Provenance of the vendor and supply chain
Cybersecurity spending has risen 58% to £121bn over the last 5 years but this increase in spending hasn’t delivered a proportionate decrease in risk. Over the same 5-year period,
security breaches have actually increased by 67%, with the damage per victim organization
averaging $13m8 and as the WEF has highlighted, business leaders still identify disruption
from cyberattacks as one of the top 5 growing risks in 2020. As one global bank CISO put it
“customers being robbed is becoming normal. Everybody suffers ransomware now; it is also
normal. The risk has been accepted.”
Cybersecurity efficacy is dependent on the balance of enterprise defensive and attacker
offensive capabilities. It is commonly understood that defensive capabilities are a combination
of strategy (what to defend, how to defend; driven by risk governance), process (operational
approaches to security), people (security & IT staff, end-users) and technology (hardware and
software), as per exhibit 2. Unfortunately, 90% of interviewees in our research say there is an
efficacy problem with cybersecurity technology which compromises defenses and is partially
responsible for the continued success of attackers.
To be effective, cybersecurity solutions need to have the Capability to deliver the stated security mission (be fit-for-purpose), have the Practicality that enterprises need to implement, integrate, operate and maintain them (be fit-for-use), have the Quality in design and build to avoid vulnerabilities and negative impact, and the Provenance in the vendor company, its people and supply chain such that these do not introduce an additional security risk.
Cybersecurity attacks can be complex and may exploit multiple vulnerabilities in order to
succeed, but attackers are also often opportunistic. The opportunity is based on finding
weaknesses in technology and exploiting them before defenders are either aware of them
or have had a chance to address them. A lot of focus is placed on the human vulnerabilities
that enable successful attacks (such as clicking on links in phishing emails), but this research
highlights that technical vulnerabilities due to poor efficacy are also a major contributing factor
to successful attacks.