As the old saying in politics goes, “it’s the economy (stupid)”, and the same goes for the battle against cyber crime: nothing will change till the economic incentives change. That was the message in the keynote address by Larry Clinton, president of the Internet Security Alliance (ISA), to the 2022 FAIR Conference, the recently concluded gathering of risk management and security professionals.
The ISA is known for books such as the Cyber-Risk Oversight Handbook for corporate boards, Cybersecurity for Business and Fixing American Cybersecurity that make the point that “cyber is not a technology issue, it is a strategic enterprise-wide issue,” as Clinton told the conference – to applause from the crowd of practitioners of Factor Analysis of Information Risk (FAIR™), the international standard for quantifying cyber risk in economic terms.
Right now, Clinton said, the economic and national-security incentives all run the wrong way.
On the offense side:
>>Cyber crime is a low risk/high return business. Cyber crime revenue at $6 trillion outstrips the revenue of the US government and, at the high end, cyber criminals can afford to buy tech talent on par with the most advanced IT companies.
>>Nation states successfully attack the US and its allies with impunity (SolarWinds, OPM hack, elections hacks).
On the defense side:
>>The internet was built vulnerable and gets more vulnerable with every advance in technology and business strategy: VOIP, cloud, remote workforce.
>>Online risk is allocated poorly. Developers are not compensated to strengthen their code, for instance. Private companies must effectively finance national security with cybersecurity investments.
Clinton presented three ways to right this situation:
>>A large-scale mobilization to turn out an expanded cybersecurity workforce through a Cybersecurity Academy offering training at many schools.
>>A range of incentives to improve security for critical infrastructure, such as insurance and regulatory relief.
>>Regulatory reform with mandates to make sure every organization does “sophisticated cyber risk analysis that blends into their business plan” -- a recommendation for universal adoption of Factor Analysis of Information Risk (FAIR).
Coming soon: Watch the video of Larry Clinton’s keynote speech on the FAIR Institute’s LINK community site (a FAIR Institute Contributing Membership required).