Paint-By-Numbers Cybersecurity. It’s NOT Working.

Cybercrime Magazine pulled several key market statistics from their securityventures.com research:

1.??????Global Cybercrime Damage Predicted to Hit $10.5 Trillion Annually by 2025. ANNUALLY.

2.??????Global Cybersecurity Spending Will Reach $1.75 Trillion Cumulatively From 2021-2025.

See any disparity? Things look a little off to you?

3.??????The World Will Have 3.5 Million Unfilled Cybersecurity Jobs In 2023. Meanwhile, the cybersecurity workforce reached an all-time high in 2022, with an estimated?4.7 million professionals employed.

So, there is a ridiculous difference in the cost of crime and the investment in cyber remediation, and there is nearly a required doubling of the workforce.

4. Global Ransomware Damage Costs Are Predicted To Exceed $265 Billion by 2031.

This is JUST ransomware. Not DDOS, Business Email Compromise, Cloud Misconfiguration, etc.

5.??????The World Will Need To Cyber Protect 200 Zettabytes (ZB) Of Data By 2025.

1?ZB?=?1,000,000,000,000?GB. That’s a lot of data. Now imagine 200 times that.

6.???????The World Will Need To Secure 338 Billion Lines Of New Software Code In 2025.

And yet, organizations are STILL writing code that does not adhere to secure application development protocols, including OWASP and DevSecOps.

See, current cybersecurity efforts are not working. Oh, sure, there are point-in-time circumstances that provide a level of protection for a certain condition, device, or process. But overall, over the long term, what we are doing today is not working. If it were, budgets, incidents, and payments would be going down, not up.

WHY?

I can hear you repeating all the usual responses:

·??????Lack of security awareness and training

·??????Increasingly sophisticated phishing campaigns

·??????Lack of budget

·??????Ineffective security personnel

·??????Stupid Users

Sure, they are all true. But these are not the real reasons cybersecurity is failing today. They are but the symptoms.

Here’s why.

#1. Microsoft. Who believes MS is providing top-notch security to its customers? Considering MS has nearly 80% market share, and it is Microsoft systems that are most often generating risk, you quickly see an embedded problem.

#2. Government Involvement. Under the guise of protection, governments (global, local, state, federal) are pushing their brand of regulatory compliance. This is a disparate, discombobulated, and highly inefficient way to “protect” data. It’s not about protection at all; it's about adherence to a regulation.

Question: How many companies that are 100% compliant suffer a breach?

Answer: 100%.

Recount the list of frameworks, assessments, regulatory requirements, White House Directives, Infrastructure Protection programs, etc. that, in and of itself, protect data. Exactly none. You still need to deploy a technology, process, and workflow to make it happen.

If you follow the CIS Top 18 Critical Security Controls, OWASP, and DevSecOps principles, you will “adhere” to virtually all regulatory requirements. I shit you not.

#3. Insurance Companies. Enter the lawyers. Attorneys have completely co-opted insurance providers—and vice versa—in an incestuous relationship of ‘how not to pay your cybersecurity claim and simultaneously raise your rates.’

#4. Finance Departments. Is your CIO (or similar office) still reporting to the CFO? Is your CISO (if you have one) reporting to the CIO? Finance uses spreadsheets. Spreadsheets have cells. Cells need to have a specific value. For Security teams, that means you are a sub-value of the IT budget, which is usually some woefully low percentage (6-10%) of the IT budget. Hence, why the investment in cybercrime remediation is a tenth of the cost of cybercrime. DO THE MATH.

There is no rhyme or reason Security should (A) report to the CIO and, (B) constitute a percentage of an already dismal budgeted line item. Oh, the tyranny of the profit center!

5#. Inept Leadership. There, I said it out loud. Leaders do not want to wallow around in the minutia. “Just give me a two-page executive summary.” Sure, that will work.

How To Fix This.

·??????Stop with the nonsense of “everybody gets their own assessment criteria.”

·??????Stop being lit up by the cool charts and fancy product names, proffered by a crack sales team, from Microsoft. Use what you need to and disband with the rest. Any organization that needs a “Patch Tuesday” is not your best option.

·??????Do everything you can to protect the data. It’s the data, stupid. Remember the whole zettabyte conversion above? THAT DATA.

·??????Self-insure. Ridiculous insurance fees, the high likelihood of non-compliance, and lawyers’ fees make it a wash. The average cost of a breach is $4.35 million as of 2022. Follow CIS, OWASP, DevSecOps, and prepare proactive measures instead of after-the-fact measures, and you will likely not come near that amount if you suffer a breach. But, go ahead and put $5 million in the bank, anyway.?