Juniper Networks pinpoints challenges for CISOs

Source: Juniper Networks.

Juniper Networks, in partnership with the RAND Corporation, a nonprofit institution that helps improve policy and decision-making, has unveiled insights into the challenges facing companies trying to protect themselves against security threats.

A June report* by RAND found chief information security officers (CISOs) often face a confusing landscape when deciding on the most efficient and cost-effective way to manage the risks posed by security to their business. The research also indicates that many companies are spending increasing amounts on cybersecurity tools, but are not confident that these investments are making their infrastructure secure.  

Juniper Networks believes CISOs need a way to better understand the variables that most influence the cost of managing cyber-security and the different decisions they can make to protect their organisations. RAND has developed a heuristic economic model that addresses this need. The model projects the cost to businesses in managing cybersecurity risk will increase 38% over the next 10 years, driving Juniper to call for organisations to start managing security spending and risk management as a discrete business function.

Juniper Networks lists five factors confirmed by RAND’s model that companies should consider as they evolve their security postures:

Security tools lose value
Attackers are constantly developing countermeasures to defence systems such as sandboxing or antivirus technologies. RAND’s model projects that over 10 years the effectiveness of these technologies will fall by 65%. Companies must evaluate the new tools they invest in, choosing those not prone to countermeasures, and focus on improving security management, automation and policy enforcement across the corporate network.

The Internet of Things (IoT) is at a crossroads
According to RAND, IoT will have an impact on overall security costs. If security technologies and management are properly applied to IoT, companies may see savings in the long run. On the other hand, if companies struggle to apply security controls effectively, RAND’s model suggests that the introduction of IoT could increase the losses that companies experience due to cyber-attacks by 30% over the course of 10 years.

Invest in the workforce to lower cost 
 Companies can benefit from making people-centric security investments, such as in technologies that help automate security management and processes, advanced security training for employees, and hiring additional security staff. According to the RAND model, organisations with very high levels of security diligence are able to curb the costs of managing security risk by 19% in the first year and by 28% by the tenth year when compared to organisations with very low diligence.

No one-size-fits-all
RAND found small to medium-sized businesses benefit most from basic tools and policies, while large organisations and high-value targets require investments in a full range of policies and tools.

Eliminating software vulnerabilities
RAND’s model concluded that one of the most significant security issues that increases the cost to businesses is the number of vulnerabilities in the software and applications being used. RAND’s model found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would decrease by 25%.

To bring the model to life, Juniper Networks is releasing an interactive interpretation of RAND’s economic model. This new tool provides businesses with general guidance on where the model suggests they should invest their time and resources across the major areas that they can control in order to reduce the potential costs.

Source: Juniper Networks.
Skingsley.

"Security is a challenge that is in the news almost daily around the world and the Asia-Pacific region (APAC) is no different. Another report noted that average security budgets increased 85% from 2013 to 2014 and APAC reported the highest information security budget as a percentage of overall IT spending at 4.3%¹, which can be attributed to the twin growth factors of the Internet and mobile in the region. Asia already holds more than half (51%) of the world’s Internet population²," said Juniper Networks’ Russell Skingsley, Vice President, Systems Engineering and Centre of Excellence, Asia-Pacific.

"Additionally, APAC accounts for half of the world’s mobile subscribers and will remain one of the world’s fastest growing mobile markets through 2020 and beyond³, and the huge online population figures increase the surface area for potential attacks and the chance of facing security threats.

The RAND report revealed that attackers are constantly developing countermeasures to new detection systems. More so than other regions, companies in APAC must carefully evaluate the new tools they invest in, choosing those not prone to countermeasures, and focus on improving security management, automation and policy enforcement across the network."

Interested?

View the interactive tool

*The Defender’s Dilemma: Charting a Course Toward Cybersecurity is authored by RAND Corporation security experts Martin Libicki, Lillian Ablon and Timothy Webb and is based on in-depth interviews conducted between October 2013 and August 2014 with CISOs on the current and emerging threat landscape. This research builds on the first report of the two-part Juniper-sponsored series from RAND, Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar, which examined the economic drivers for attackers and the sophisticated underground black market created to scale their efforts.

1 PWC Global State of Information Security Survey 2014 – http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
2 KPCB/Mary Meeker Internet Trends 2015 presentation: In 2014, there were 2.8billion Internet Users, 23% in China, 28% Asia (ex China).
3 9 June 2014: GSMA Mobile Economy

posted from Bloggeroid