Did you know that six years ago, cybersecurity didn’t even rank in the top ten risks prioritized by company boards? Today, we live in a world where cybercriminals seem to have the advantage as they continually find new ways to steal sensitive information. Despite organizations across the globe spending more than ever to manage cyber risk, attackers continue to get through.
So, what has caused cybercriminals to now have the upper hand? This is exactly the question that is answered in a recent report by Intel Security and McAfee. These new findings tell us that it could come down to misaligned incentives between the attacker and the defenders. For MSPs, this presents new opportunities to restructure services and internal processes to incentivize innovation and improve security services.
What Causes Misaligned Incentives in IT?
The study identified a few key contributors to misaligned incentives. The first is rigid corporate structures. Corporate bureaucracy puts cybersecurity professionals at a disadvantage against their adversaries because they must work within strict constraints formed by governance, risk management and structure workflows. In contrast, cybercriminals have significant flexibility through freeform, ad-hoc networking. Thus, the defenders are at a slight disadvantage and don't have the opportunity to meet the attackers on the same playing field.
Strategy versus implementation is another problem commonly encountered in large organizations, the report found. While 93 percent of respondents have plans in place for current and future threats, they may not be as comprehensive as the executives believe. Cyber-defense operators feel the strategies in place primarily address current threats, but emerging exploits and security holes are not handled appropriately, which leaves the companies at risk for innovative attackers.
Executives and operators often use different key performance indicators to measure success, which also creates internal discord. Front-line cybersecurity professionals measure success by looking at their overall breach incidents, conducting penetration testing, calculating cost of recovery and performing vulnerability scans. The executives are primarily concerned with general performance numbers and the costs associated with these procedures.
Lastly, cybersecurity teams lack the incentives and rewards their adversaries receive. Cybercriminals get a big payoff when they successfully receive a ransom or breach a system. They have the tools to experiment with new methods to beat the security systems in place, while internal IT teams are often restricted by corporate bureaucracy.
How MSPs Can Improve Services, Appeal to Customers and Regain Power from Cybercriminals
So, what can MSPs do to level the playing field and remove the power from cybercriminals? The report offered several ways to improve your current cybersecurity offerings, bring in more customers and win out over hackers.
The cybersecurity-as-a-service model is an excellent product to show potential clients as a way to combat cybercrime-as-a-service. Black hat communities (hackers that break into systems without the owner’s permission) respond to the market forces that drive innovation, add a competitive element and improve their overall skill set. Intel suggests emulating this in your organization by acting as your clients’ security contractor.
Rolling out performance incentives is another way to gain the advantages attackers have in the cybersecurity war. Operators who are recognized and rewarded for thwarting attacks have more reason to put forth the extra effort. The organization benefits from better defense and more responsive patching. Some examples of effective incentives include awards and bonuses, reimbursing operators for training that expands their skills, offering flexible schedules and providing the opportunity to make a significant difference.
Leveraging the global talent pool also gives you different backgrounds, perspectives and skill sets to pull from. The Intel study found that foreign information and communications technology (ICT) specialists often enter black hat communities because they have no legitimate opportunities in the IT industry in their countries. This approach also helps you fill the IT skills gap and stop one more person from becoming a cybercriminal.
For these strategies to work, you also need consistent success metrics in place so everyone knows what a successful security outcome looks like. A single version of the most important metrics allows operators and executives to understand expectations in cybersecurity.
Cybercriminals aren't going away anytime soon, but you can beat them at their own game! Properly incentivizing cybersecurity teams and promoting an innovative environment will allow you to fight back against these frequent attackers and keep your clients protected.
By Steve Lowing
By Paula Griffin