As is often the case, this is prompted by a FUD soaked headline. In this case IBM’s CEO Ginni Rometty, making a grand statement that was turned into a Forbes headline.
“Cyber Crime Is The Greatest Threat To Every Company In The World”
The figure quoted: Cyber attacks can cost businesses as much as $400 billion a year
That giant number is from Lloyds’ Cyber insurance arm. The report goes on to tell us how IBM’s overall valuation is on an upward curve…after 14 periods in the other direction. Their security business is a key part of that turnaround and it’s gearing up to play an even bigger one (it currently only represents 2% of total revenues).
No wonder she’s shouting about security. In this case at IBM’s own security summit. Addressing CISOs, CIOs and CEOs from 124 companies.
Then there’s the marketing motivation for cyber insurers. That market is expected to triple to $7.5bn in the next 3 years. A comparable prediction to the one for the cyber security market from the same Forbes piece:
The worldwide cybersecurity industry is defined by market sizing estimates that range from $77 billion in 2015 to $170 billion by 2020
So now we’re getting the vested interests back into the picture, what is the reality behind Rometty’s statement? Especially when twinned with insurer-driven headline figures. In the absence of better context this is how it read to me:
You are gonna get breached. It’s gonna be horrific. So best get you some cyber insurance and IBM “kitsultancy” (consultancy parlayed into product sales, or product sales parlayed into consultancy)
Being a realist, I know the power of marketing. Especially when it’s one CXO to another. So it deserves a more informed response.
Is the whole article just an infomercial?
Anyone who reads my blog knows I have concerns about the lack of security expertise, missing risk data, upward premium creep, and downward coverage creep in the still-maturing cyber insurance market. Concerns offered recent perspective in The Register, on 23rd November, by a security pro with insurance industry experience. That doesn’t negate the value of Lloyds’ figures, but question and reporting bias shouldn’t be ignored.
The article is also stacked high with levers aimed at nudging current and prospective IBM clients in deal signing directions, and speculators towards ‘buy’ buttons for IBM stock.
But there’s more than a grain of truth in what Rometty said when you it put in back into context:
“We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
Another source quoted in the Forbes article is the World Economic Forum (WEF). They have recently released their 2015 Global Risks Report. Here’s the quoted perspective, and below it the top ten risks broken down by impact and likelihood.
The WEF says a significant portion of cybercrime goes undetected, particularly industrial espionage where access to confidential documents and data is difficult to spot
With data fraud or theft, cyber attacks, and critical information infrastructure breakdown making it onto top 10 lists, we can’t judge her statement too harshly. In fact her statement about data is something most people can get behind. I put the argument for data supremacy in corporate risk management in this article, and I’m far from alone. Just this week PWC’s cybersecurity supremo came up with this quote for a Silicon Republic video interview:
“Protect the data, forget the perimeter”
Needless to say he doesn’t want you to scrap your firewalls, he’s just pointing out what we all deep down know: The criminal market drives demand and much of the demand is for data. Demand vs supply drives the price, and the price drives motivation to make more and more creative effort to get hold of it (Pierluigi Paganini put some context and numbers around that in this February Security Affairs blog post).
So what (given my statements above), is wrong with Rometty’s assertion?
The ‘Context Conundrum’ (a.k.a WTF’s the risk?)
Back in 2014 McAfee released one of the frequent reports (link to PDF) that try to pin a value on cybercrime. In response, The Guardian published this:
Is the global cost of cybercrime really £266bn a year? No, it isn’t
In that article, McAfee’s calculations were robustly challenged. Challenges that are relevant to any such report (incidentally, that is just over $400bn at today’s prices…the same as the Lloyds’ figure quoted by Rometty):
Rather than solely focusing on the amount of money criminals made from their exploits, the McAfee study involved collating
publicly available data from individual countries, alongside information gleaned during interviews with government officials and experts. Much of this was anecdotal data.
McAfee took all this information and used various methods to determine a range of estimates. They differed wildly. The £266bn figure was determined from aggregating costs as a share of regional incomes, which meant taking the percent of GDP that was lost to cybercrime from countries researched and added them up.
Another method took the loss of high income countries and extrapolated that out to reach £342bn. The third and final calculation took the total amount for all countries where it could access open source data, which was again extrapolated to hit £223bn, the lowest estimate.
McAfee said none of these approaches were “satisfactory”, and admitted that putting a figure on the cost of cybercrime is difficult when many countries aren’t recording costs effectively. Let me just repeat that last part:
“…putting a figure on the cost of cybercrime is difficult when many countries aren’t recording costs effectively”
…and therein lies the rub. Quantifiable data and context are the crown jewels for our trade and the cyber insurers, and 4/5/6 figure deals are being brokered without useful reference to either.
Because companies know cybercrime is a commercial reality, it scares all of us, and we ARE paying attention. But at the same time we are ignorant of our own local risk context. As I said in this post about the recently killed Safe Harbor agreement:
We don’t really know how much snooping is permitted by less than great security controls vs master spy cyber tactics. What we DO know is that holey security is an open invitation to garden variety, profit motivated criminals.
You can’t scale the risk mitigation value of pricy technical remedies (the ones invariably spliced to the billion dollar impact headlines), without that local risk context.
Or…as I responded to the first tweeted mention of Rometty’s quote:
Some alternative context from an old Information Security Buzz article, this time about technically generated threat intelligence:
Threat Intelligence becomes an oxymoron without the context of your local exposure
Integrated into your SIEM or AV solution it will increase your capability to spot, understand and deal with most nasties. But only IF you know what to fix, where it is and how the fix will impact the business.
Is it better not to know? No. But if the business invested in this, with your backing, it’s safer for your career if you can actually make use of outputs and demonstrate real results. Or, at the very least, explain the plan to get to that point.
So, is your business mature enough to get that value-add, or rich enough to buy in expertise to get you there?
Circling back to the article that kicked all this off:
Have you? Have you got that context? Both for the threat headlines, and for your local exposure? Does the offered solution help to fill those business risk insight gaps? It may do exactly that…but do you know?
If not, perhaps finding and categorising assets most attractive to criminals is the first priority? After all, if you don’t know where assets are, and haven’t placed a financial, operational or strategic value on them, how can you plan to defend them?
Possibly then take a look at old gaps in infrastructure, systems and knowledge left by years of underspend. They are the staple diet of cybercrime.
Next take a long hard look at your risk management practices (you’ll find a view of the current state of capability in this cyber insurance article), your change security assurance, and how well you govern supplier security. Because while you have eyes on a technical solution prize, that’s where most of your new vulnerabilities are brewing.
Perhaps then, when you know how much potential risk you are facing, it is time to get out the chequebook.
If you are after a board-pleasing, peer approved, big ticket fix, then please ignore everything here and be my guest. But, as Robert Duncan (CISO of Euronext), so vividly says in his excellent LinkedIn post, there are other kinds of inherent risks to consider before signing on the dotted line:
“Creativity in our industry has, more or less, been outsourced to vendors. Want a new layer of defence (there I go with that cliché already!) – well, lucky you, dozens of vendors are there to tell you about all the old approaches that no longer work, their new silver bullet solution, or ask you why you are spending 1 million of capex when you could be spending 200K of opex with them on a cloud based solution for problem X, Y, or Z. Want someone to blame as a CISO when you are next breached: (*you will still be fired) Bring in more vendors, especially top names, and buy things from Gartner’s magic quadrant, then claim ‘what else could you have done’?”