By all measures, the IT industry appears to be losing the war against cyber attacks, yet companies continue spending more and more on security products.
For example, according to a report released late last year by Marsh and Microsoft, the cybersecurity market exceeded $124 billion in 2019. Despite all that spending, cybercrime cost organizations around $1 trillion that year.
Cyber risk was a top-five concern at 79 percent of organizations surveyed, up from 62 percent in 2017 – but confidence in cybersecurity measures declined across the board. When it comes to understanding and assessing cyberthreats, 29 percent said they were highly confident in 2017, and this percentage dropped to 23 percent last year. Meanwhile, the number of respondents who had no confidence at all in their ability to assess threats doubled, going from 9 percent to 18 percent.
Similarly, the percentage of companies who had no confidence at all in their ability to mitigate or prevent cyber attacks rose from 12 to 19 percent, while those who had no confidence in their ability to respond to or manage cyber attacks went from 15 to 22 percent.
"That lack of confidence may stem in part from the relatively small effect organizations are seeing from ever-increasing investments in cybersecurity technology," suggested the report authors.
Meanwhile, reducing cybersecurity spending isn't an option most would seriously consider given the threat landscape and growing compliance requirements. According to CIO magazine's 2020 State of the CIO survey, an average company now spends 16 percent of its IT budget on cybersecurity. A survey published late last month by Enterprise Strategy Group found that 62 percent of organizations plan to increase cybersecurity spending in 2020 compared to 55 percent who plan to increase IT spending in general.
Obviously, criminals are getting better, said Henry Harrison, founder and CTO at Garrison, a London-based cybersecurity firm. "But the question is, why aren't defenders getting better quicker?" Yes, attackers are getting smarter and using ever more sophisticated technology. Yes, we have an ever-expanding attack surface, including cloud, IoT, AI, and other emerging technologies. But when it comes to cybersecurity spending, many companies are working blind.
"People are spending vast amounts of money on cybersecurity technology, without any knowledge of whether the cybersecurity technology is effective or not," Harrison said.
Part of the problem could be that companies aren't doing a good job tracking ROI of their cybersecurity expenditures. Only 35 percent of respondents measure effectiveness of their security programs against the cost of investment, according to a January survey by the SANS Institute. That leaves managers responsible for security unable to justify needed investment to corporate management, according to report author Barbara Filkins.
Do You Get What You Pay For?
Of those companies in the SANS survey that do measure cybersecurity effectiveness, the most common strategy (used by 59 percent of respondents) is to calculate the reduction in the attack surface. Improvements in compliance are tracked by 44 percent of respondents, 41 percent look at the speed and accuracy of responses, and 18 percent look at whether they've been able to lower the cost of cybersecurity.
"Some vendors are offering ROI measurement tools to help security teams keep track of the performance of their security tools," Aanand Krishnan, CEO at Tala Security, said. But the tools available today are rudimentary. "They conceal more than they reveal when it comes to security performance management," he said.
Another approach is to use industry frameworks and standards like MITRE, NIST, COBIT, CISQ, and others. While they are getting increasingly sophisticated, these frameworks tend to be generic. "CISOs have to spend a lot of time tweaking these frameworks to be relevant to their IT posture," Krishnan said.
Finally, it sometimes looks like every security vendor is promising to solve every security problem there is, and it's hard to tell specifically what their technology does. "Enterprises end up with a vendor bloat problem," he said – and cybersecurity budgets keep expanding.
Hype and Obfuscation
There's also a misalignment between where breaches happen and what the hot cybersecurity technologies of the moment are. Lackluster patching and phishing emails are responsible for most incidents, Roger Grimes, data-driven defense evangelist at KnowBe4 said, but those issues aren’t what gets all the hype and attention.
"Cybersecurity defense vendors are salesmen," he said. "They are driven to create a sense of fear and panic in their potential customers in order to sell their product. I don’t blame them. That’s what they do to make a living."
According to a survey released by Valimail in December, 53 percent of respondents said most or all cybersecurity vendors use unclear or ambiguous data when pitching their products. In addition, 42 percent said that cybersecurity products do deliver value “sometimes,” but it’s hard or impossible to prove that value, while 44 percent said that most or all vendors obfuscate their technology.
A lot of vendors believe that customers will stay with them no matter what, said Valimail CMO David Applebaum. "For a majority of customers who've standardized on a particular platform, it's hard to switch and go through all the evaluations again of all the vendors," he said. "There's a perception that none of them are much better than the others, so moving isn't necessarily going to increase the level of satisfaction – and then there's the fear that any disruption will leave you vulnerable to attack."
It may be tempting to blame vendors for ineffective technology and their salespeople for obfuscation. And in many instances, they do deserve the blame. But a lot of the blame also lies with enterprises themselves.
For example, one cornerstone of a good corporate risk management strategy is to have some idea of how much risk you can tolerate, but only 35 percent of companies have a clear view of their cyber risk tolerance, according to ISACA's 2020 report about the state of enterprise risk. It's hard to know whether you've met your target for cyber risk when you don't even know what you're aiming for.