.JPG)
Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), released “Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity”. a global report and survey revealing three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus professionals in implementation roles. The report highlights ways organizations can learn from cybercriminals to correct these misalignments.
Based on interviews and a global survey of 800 cybersecurity professionals across five industry sectors, the report outlines how cybercriminals are at an advantage, thanks to cybercrime incentives that generate big business in a flexible and dynamic market. Advocates, on the other hand, often operate in bureaucratic hierarchies, which puts intense pressure on them to keep up with demand.
Additional misalignments occur within defenders' organizations. For example, while more than 90% of organizations report having a cybersecurity strategy in place, less than half have fully implemented them. Additionally, 83% said their organizations have been impacted by cybersecurity breaches, indicating a disconnect between strategy and implementation.
And while cybercriminals have a direct incentive to act, the survey not only shows that there are few incentives for cybersecurity professionals, but also that executives were far more confident than operational staff when it came to cybersecurity. effectiveness of existing incentives. For example, 42% of cybersecurity implementers reported that there are no incentives, compared to just 18% of decision makers and 8% of leaders.
"The cybercriminal market is primed for success because of its very structure, which quickly rewards innovation and promotes sharing of the best tools," said Candace Worley, VP of Enterprise Solutions at Intel Security. "For cyber and IT professionals in government and businesses to compete with attackers, they need to be as insightful and agile as the criminals they seek to capture, yet provide incentives that value IT staff."
"It's easy to design a strategy, but to execute it is difficult," says Denise Zheng, director and senior fellow of the technology policy program at CSIS. “How governments and companies approach and treat their misaligned incentives will dictate the effectiveness of their cybersecurity programs. and 'how' to make it better."
Other conclusions
• Despite the lack of incentives and recognition for cybersecurity professionals, 65% of them are personally motivated to strengthen their cybersecurity organizations.
• 95% organizations have already suffered the effects of cybersecurity breaches, including interruption of operations, loss of IP, damage to the company's reputation and brand, among other effects. However, only 32% reported experiences of lost profits or revenue, which can lead to a false sense of security.
• The government sector was least likely to report having a fully implemented cybersecurity strategy (38%). This sector also had a higher share of agencies with inadequate financial (58%) and human (63%) resources compared to the private sector (33% and 43%).
The report also suggests ways in which the defense community can learn from attacker communities. That includes:
• Opting for security-as-a-service to combat the cybercrime-as-a-service model of the criminal market.
• Use public disclosure.
• Increase transparency.
• Lower barriers to entry for the cyber talent pool.
• Align performance incentives from senior leadership to operators.
The good news, according to the report's authors, is that most companies recognize the seriousness of the cybersecurity problem and are willing to tackle it. Organizations need more than tools to fight cyber attackers; experimentation is needed to determine the right mix of metrics and incentives for each organization as they approach cybersecurity as more than simply a cost-conscious framework and become more innovative in their organizational structure and processes.
For more information on these results and to view the full report, visit: www.mcafee.com/misaligned.
Methodology
Intel engaged independent technology market research expert Vanson Bourne to conduct the research on which this report is based. Intel surveyed more than 800 respondents from companies ranging from 500 employees to more than 5,000 from five major industry sectors, including Finance, Healthcare and the Public Sector. The survey targeted respondents who had executive-level responsibilities for cybersecurity, as well as operators with technical and enforcement responsibilities related to cybersecurity. Countries represented by respondents include the United States, United Kingdom, France, Germany, Brazil, Japan, Singapore, Australia and Mexico.
Based on interviews and a global survey of 800 cybersecurity professionals across five industry sectors, the report outlines how cybercriminals are at an advantage, thanks to cybercrime incentives that generate big business in a flexible and dynamic market. Advocates, on the other hand, often operate in bureaucratic hierarchies, which puts intense pressure on them to keep up with demand.
Additional misalignments occur within defenders' organizations. For example, while more than 90% of organizations report having a cybersecurity strategy in place, less than half have fully implemented them. Additionally, 83% said their organizations have been impacted by cybersecurity breaches, indicating a disconnect between strategy and implementation.
And while cybercriminals have a direct incentive to act, the survey not only shows that there are few incentives for cybersecurity professionals, but also that executives were far more confident than operational staff when it came to cybersecurity. effectiveness of existing incentives. For example, 42% of cybersecurity implementers reported that there are no incentives, compared to just 18% of decision makers and 8% of leaders.
"The cybercriminal market is primed for success because of its very structure, which quickly rewards innovation and promotes sharing of the best tools," said Candace Worley, VP of Enterprise Solutions at Intel Security. "For cyber and IT professionals in government and businesses to compete with attackers, they need to be as insightful and agile as the criminals they seek to capture, yet provide incentives that value IT staff."
"It's easy to design a strategy, but to execute it is difficult," says Denise Zheng, director and senior fellow of the technology policy program at CSIS. “How governments and companies approach and treat their misaligned incentives will dictate the effectiveness of their cybersecurity programs. and 'how' to make it better."
Other conclusions
• Despite the lack of incentives and recognition for cybersecurity professionals, 65% of them are personally motivated to strengthen their cybersecurity organizations.
• 95% organizations have already suffered the effects of cybersecurity breaches, including interruption of operations, loss of IP, damage to the company's reputation and brand, among other effects. However, only 32% reported experiences of lost profits or revenue, which can lead to a false sense of security.
• The government sector was least likely to report having a fully implemented cybersecurity strategy (38%). This sector also had a higher share of agencies with inadequate financial (58%) and human (63%) resources compared to the private sector (33% and 43%).
The report also suggests ways in which the defense community can learn from attacker communities. That includes:
• Opting for security-as-a-service to combat the cybercrime-as-a-service model of the criminal market.
• Use public disclosure.
• Increase transparency.
• Lower barriers to entry for the cyber talent pool.
• Align performance incentives from senior leadership to operators.
The good news, according to the report's authors, is that most companies recognize the seriousness of the cybersecurity problem and are willing to tackle it. Organizations need more than tools to fight cyber attackers; experimentation is needed to determine the right mix of metrics and incentives for each organization as they approach cybersecurity as more than simply a cost-conscious framework and become more innovative in their organizational structure and processes.
For more information on these results and to view the full report, visit: www.mcafee.com/misaligned.
Methodology
Intel engaged independent technology market research expert Vanson Bourne to conduct the research on which this report is based. Intel surveyed more than 800 respondents from companies ranging from 500 employees to more than 5,000 from five major industry sectors, including Finance, Healthcare and the Public Sector. The survey targeted respondents who had executive-level responsibilities for cybersecurity, as well as operators with technical and enforcement responsibilities related to cybersecurity. Countries represented by respondents include the United States, United Kingdom, France, Germany, Brazil, Japan, Singapore, Australia and Mexico.
EN 
PT 
