Friday, May 10, 2013

No Room For Guessing Games in Information Security

The Global Cost of Cyber Security?

The information security industry, for the large part, has been working hard to reshape how users think about security. Before this reshaping took place, security was a nuisance for enterprises, was overlooked by developers (i.e., security-as-a-fix instead of security-at-inception), and was unknown to end users.

Fortunately, the trend is changing. For example, CXOs are now less reluctant to approve those line items in the budget related to securing their enterprises and end users are becoming more aware of cyber security and its consequences. 

For me, trying to estimate the global cost associated with cybercrime is one of those ‘somethings’. The inherent complexity associated with the global space of cybercrime events prevents us from calculating a reliable cost estimate with respectable accuracy and precision.

Not so long ago, Symantec asserted that cybercrime was costing us about $110 billion per year. Around the same time, McAfee stated that cybercrime was instead costing us approximately $1 trillion per year. I wonder which one is right? It’s a conundrum, indeed.

For years, I have watched these sorts of global cost estimates travel across the wire, and yet I have found little use of the information because the data points are, with absolute certainty, all over the board.

Nowadays I simply ignore these ‘informationals’ when they cross my path—long term exposure to them has desensitized me. However, these changes would not have occurred if our industry was desensitizing our target audience with inaccurate information.

The moral of this story—we as security professionals need to focus on relaying relevant information to the rest of the world and to do so as accurately as possible. There is no room for guessing games in our industry.

No comments: