Are we losing yet?

That’s what I asked myself after reading the IC3 Internet Crime Report, which shows:

  • A 22.3% increase in complaints over 2008
  • Total dollar loss from all referred cases was $559.7 million, **up over 110%** from 2008
  • Of the top five categories of offenses, identity thieft ranked second, at 14.1% of complaints; computer fraud (destruction/damage/vandalism of property) ranked fifth, at 7.9% of complaints.


The security industry readily admits that cyber-criminals are evolving their attack tactics faster than we’re evolving our defenses. How long can we continue to fall behind before we should start saying that we’re losing?




At an aggregate, I don't think we're losing yet. We're starting to understand the cost of security. It's well understood we're reactive when it comes to unforeseen outcomes. Individuals and businesses are starting to collect sufficient evidence on the impact and value of security. As bottom lines are affected, people will increase focus, vote with their dollars, security teams will advance their processes, and the vendor community will respond to demand (both consumer and biz). Every IT shop I've worked in knows they can do better. It's inefficient but who's to say less efficient than investing in resilient solutions that cost more than the above (joking of course).
No need for security pro's to say I told you so. We just now have better evidence to improve and justify the investment.

BTW: No disrespect to the victims and companies who suffer material impacts.

drivers and justification

Great insight, Jared. Yes, reactivity does seem to drive security programs. In a recent round of talks with security CISOs and VPs, it's clear that they all want want to do more. But those who hold the purse strings and those from whom we require buy-in from a cooperation standpoint all seem to force security programs to focus on regulatory compliance first and foremost. Data security and avoiding a _public_ breach also factors in -- and how much if factors does indeed often depend on whether you've been hit before. True IT risk management takes a back seat.
I do think we need to focus on why that is, and what we as security practitioners can do to improve how we communicate our value to the business, as well as how we measure it. Not original thoughts, to be sure (we've been writing about that for about 5 yrs now), but one that still bears mentioning.