I saw an interesting infographic recently:
So, apparently the UK Police Central e-Crime Unit spent 17.2M pounds and prevented 1B pounds of cybercrime - 58 units of cybercrime prevention for every unit of currency spent over 18 months.
Earlier this year, McAfee and the Center for Strategic International Studies produced the "Economic Impact of Cybercrime and Cybersespionage" report, which showed:
If we take the midpoint of the estimated cost of global cybercrime, we would get a cost globally of $650B. If we gave the UK chaps $11.2B, or if everyone was as efficient as they are, we could prevent all of that cybercrime!
Now, that sounds like a lot of money. But various analyst estimates put global security spending at somewhere between $60B - 90B, so (once again using the mid-range) another $11B is less than a 15% increase.
Or, to put it another way: if we reduced the cost of our existing defenses by 15% we could apply the savings towards high payback techniques that would dramatically increase our prevention of incidents. Maybe not really get 58x reduction per security dollar spent, but who knows?? All these numbers are imaginary, anyway - maybe we'd actually get 100x reduction for every "smart" security dollar spent. Or, to make 58 the midpoint, maybe we'd only get 16x...
Here's a simple example: what about using that 15% to implement auto-patching, whitelisting and sandboxing on every user PC?
Never happen - users would revolt, management wouldn't back you, you say? But, all those users using iPads and iPhones are using auto-patching, whitelisting sandboxed personal computing devices - and loving it. In fact, those auto-patched, whitelisting, sandboxed users are demanding that IT let them use those devices in addition to (or increasingly, instead of) the slowly patched, wide open PCs the company wants them to use.
It really is time to rethink how you spend that first dollar of security (to paraphrase Bryan Palma when he was CISO at Pepsi) rather than just hoping that adding more security dollars will get you that 58x payback.
When I played lacrosse in high school, the coaches used to tell us we couldn't drink water, it would give us cramps and that slamming our helmets into each other before the game would make us more ready to play. There are a lot of security myths out there (We can't patch! We can't whitelist! We can't sandbox!) that are akin to thinking dehydration and intentional concussing are performance enhancers.