I was at The Open Group conference this week and there was an interesting presentation by Larry Clinton of the Internet Security Alliance. He pointed to two recent publications that can be downloaded:
- The Financial Impact of Cyber Risk (50 questions Every CFO should ask)
- The Financial Management of Cyber Risk (an implementation framework for CFOs)
The first document provides questions for the various parts of the business to help understand their perspective of cyber security related risks to the organization (looking at a range of dimensions like cyber-crime, business continuity, data regulatory risks…). It looks at some of the items that I was asking some cloud experts about the other day.
The second document looks at what to do about some of the answers you received, but didn’t like.
As Larry Clinton stated in his presentation, the current economic incentives favor the attacker:
- Attacks are cheap
- Vulnerabilities are almost infinite
- Profits from attacks are enormous
- Defense is costly
- Defense is often futile
- Costs of attacks are distributed
Having said all that though, much can be done. For businesses it can be like the two guys who were camping and woken by a bear in the middle of the night. One starts to put on his tennis shoes and the other starts running. He looks back and says “Why are you putting on your shoes?”. The first guy says “I know I can’t outrun the bear, but I just need to outrun you.”
If your organization is more difficult to breach there are enough easy pick’ens out there to keep them busy, unless they really are after you.