June 26, 2015 By Douglas Bonderud 3 min read

Companies are starting to panic. Day after day, week after week, CISOs and IT professionals hear the same refrain: Attackers are gaining ground, and defenders simply don’t have the technical know-how and funding to push forward and take back lost territory. According to SecurityWeek, which was diving into a new report from the RAND corporation, money and expertise aren’t the problem: Leadership is lacking. As a result, “defenders responsible for protecting corporate and personal data are unprepared, overwhelmed and unsupported.” But is it possible for CISOs and other executives to step up and take command, or was this a losing battle from the start?

Funds and Failures of Leadership

As noted by the RAND report, “The Defender’s Dilemma,” even with security spending set to reach $70 billion annually, “chief information security officers (CISOs) feel they are treading water at best — investing more money in security without feeling any more secure.” They’re worried that attackers are gaining on defenders and concerned they haven’t invested budgets wisely. What if a new subset of data is targeted or employees accidentally download malicious third-party apps onto corporate-connected mobile devices? The sheer number of attack avenues often leaves IT departments paralyzed, certain they must do something but unable to choose what.

Consider what’s happened to the U.S. Office of Personnel Management (OPM), which according to NBC News has suffered data loss totaling millions of records spanning current and former federal employees along with citizens who applied for security clearances. Critics say the embattled head of the OPM hasn’t displayed any kind of leadership or a sense of urgency when it comes to these cybercrimes. The director, meanwhile, raises the issue of budgetary constraints, claiming that without enough resources it’s not possible to mitigate the threat of cyberattacks. It’s a game of blame and brinkmanship — no one wants to take responsibility because no one really knows the cause.

Attacks and Retaliation

The RAND report points out that current landscape in corporate security can be traced to the adversarial dynamic of measures and countermeasures. Attackers need only find a single loophole to exploit corporate vulnerabilities and steal valuable data, while security teams are responsible for the constant monitoring of their entire network for new threats, along with developing ways to counter existing problems. This job becomes even more difficult thanks to chronic underfunding of IT security efforts, which is common because it’s so difficult to link prevention and ROI — how can something that’s not happening drive revenue? CISOs and other security leaders, therefore, are dealing with pushback on both sides.

The People Project

So how do companies change the security dynamic? According to the RAND report, investing in people-centric technologies is the first step. By spending on tools to automate security management, advance training for existing staff and even hire new professionals, companies significantly reduced their long-term operational costs for security management. Moving forward, however, requires a rethinking of the current attack/defender landscape.

What’s the biggest challenge for IT security? Guarding a mutable and ever-expanding network border. The problem? This isn’t difficult but impossible no matter how many guards hired or walls built, some portion of the border will always be left undefended, presenting the perfect opportunity for cybercriminals. For CISOs and other security executives to truly tap leadership potential, teams need a change of focus: It’s not about reclaiming virtual ground or planting corporate flags — it’s about meeting attackers head-on and tackling challenges as they arise. By investing in staff training and tools to recognize aberrant behaviors in real time and empowering them act immediately, companies can toss aside old notions of territory and tenacity, instead focusing on drilling down to capture rogue processes the moment they appear.

Companies can’t win the cybersecurity war with bigger budgets and the same old strategy. People-centric technologies empowered by true leadership, however, could turn the tide.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today