Incentives Drive Results

By on

The Challenges of Misaligned Incentives in Cybersecurity

Cybercriminals are encouraged by their results, stealing money, breaking services, or gaining notoriety, and can quickly change tactics that are ineffective. But what encourages a cybersecurity team to do their best? Maybe more important, what discourages them? To understand more about this, we surveyed 800 cybersecurity professionals from five major industry sectors, and asked them about their incentives, metrics, and processes. Analyzing the responses, we identified three key incentive misalignments: between corporate structures and the free flow of criminal enterprises, between strategy and implementation, and between senior executives and those in implementation roles.

Corporate Structures versus Criminal Enterprises

The two big differences between cybercriminals and a typical corporate cybersecurity team are the flow of information and the use of specialized resources. Cybercriminal information markets quickly disseminate successes, code, and newly discovered vulnerabilities, encouraging and fueling innovation. While the adoption of threat intelligence sharing is increasing, it has a long way to go to match the speed and details available on the dark web. These markets also support a great deal of specialization, enabling malware coders, exploit hackers, and social engineering con artists to become very good at their trade. This is a significant difference from most cybersecurity groups, which operate in more generalist roles, and only calling in external security specialists when necessary.

Strategy versus Implementation

According to our study, most organizations consider cybersecurity to be their number one risk, and have developed strategies to deal with new and existing threats. However, there are some sizable gaps between strategy and implementation, most notably the biggest consequence of a security breach and methods used to protect the organization. IT executives surveyed were primarily concerned about reputational impact, with less than one-third believing that an incident would result in financial loss, possibly creating a false sense of security. At the same time, almost two-thirds are acquiring overlapping security technologies to protect the organization. While this may sound like a good idea, overlapping technologies that are not integrated and communicating with each other can result in security gaps, due to inconsistent policies and dissimilar configuration tools.

 Senior Executives versus Implementers

There appears to be a substantial gap in perceived incentives between senior IT executives and cybersecurity operations. More than one-quarter of the operators surveyed reported that there were no incentives in their organization, such as bonuses or recognition, compared to only 5% of the executives. It could be that employees lower down in the organizational structure are unaware of performance incentives, or they don’t consider the offerings to be effective. It is not always necessary to hand out cash for better results. Other studies have shown that professional development opportunities are considered as or more valuable an incentive than bonuses, and they increase your team’s knowledge and capabilities at the same time.

 What Can Be Done?

It may seem strange to copy some aspects of criminal behavior, but there are things to learn from how cybercriminals operate. Security-as-a-service can provide the necessary flexibility to counter cybercrime-as-a-service operations. Specialized consultants can augment the in-house team with expertise and focused resources when necessary. Performance incentives and recognition can encourage stronger defenses and faster patch cycles.

 

Categories: Business
Tags: ,

Leave a Comment

Similar articles

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is ...
Read Blog
If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog