This blog was written by Candace Worley, McAfee’s former Vice President and Chief Technical Strategist.
The Challenges of Misaligned Incentives in Cybersecurity
Cybercriminals are encouraged by their results, stealing money, breaking services, or gaining notoriety, and can quickly change tactics that are ineffective. But what encourages a cybersecurity team to do their best? Maybe more important, what discourages them? To understand more about this, we surveyed 800 cybersecurity professionals from five major industry sectors, and asked them about their incentives, metrics, and processes. Analyzing the responses, we identified three key incentive misalignments: between corporate structures and the free flow of criminal enterprises, between strategy and implementation, and between senior executives and those in implementation roles.
Corporate Structures versus Criminal Enterprises
The two big differences between cybercriminals and a typical corporate cybersecurity team are the flow of information and the use of specialized resources. Cybercriminal information markets quickly disseminate successes, code, and newly discovered vulnerabilities, encouraging and fueling innovation. While the adoption of threat intelligence sharing is increasing, it has a long way to go to match the speed and details available on the dark web. These markets also support a great deal of specialization, enabling malware coders, exploit hackers, and social engineering con artists to become very good at their trade. This is a significant difference from most cybersecurity groups, which operate in more generalist roles, and only calling in external security specialists when necessary.
Strategy versus Implementation
According to our study, most organizations consider cybersecurity to be their number one risk, and have developed strategies to deal with new and existing threats. However, there are some sizable gaps between strategy and implementation, most notably the biggest consequence of a security breach and methods used to protect the organization. IT executives surveyed were primarily concerned about reputational impact, with less than one-third believing that an incident would result in financial loss, possibly creating a false sense of security. At the same time, almost two-thirds are acquiring overlapping security technologies to protect the organization. While this may sound like a good idea, overlapping technologies that are not integrated and communicating with each other can result in security gaps, due to inconsistent policies and dissimilar configuration tools.
Senior Executives versus Implementers
There appears to be a substantial gap in perceived incentives between senior IT executives and cybersecurity operations. More than one-quarter of the operators surveyed reported that there were no incentives in their organization, such as bonuses or recognition, compared to only 5% of the executives. It could be that employees lower down in the organizational structure are unaware of performance incentives, or they don’t consider the offerings to be effective. It is not always necessary to hand out cash for better results. Other studies have shown that professional development opportunities are considered as or more valuable an incentive than bonuses, and they increase your team’s knowledge and capabilities at the same time.
What Can Be Done?
It may seem strange to copy some aspects of criminal behavior, but there are things to learn from how cybercriminals operate. Security-as-a-service can provide the necessary flexibility to counter cybercrime-as-a-service operations. Specialized consultants can augment the in-house team with expertise and focused resources when necessary. Performance incentives and recognition can encourage stronger defenses and faster patch cycles.