RAND Corporation Model Projects a 38 Percent Increase in
Cybersecurity Costs Over the Next 10 Years
SUNNYVALE, Calif.--(BUSINESS WIRE)--
Juniper
Networks (NYSE:JNPR), the industry leader in network innovation, in
partnership with the RAND Corporation, a nonprofit institution that
helps improve policy and decision-making through research and analysis,
unveiled new insights into the economic challenges, trade-offs and
demands facing companies as they protect themselves against increasingly
complex security threats.
The in-depth report by leading economic and cybersecurity experts at
RAND found chief information security officers (CISOs) often face a
chaotic and confusing landscape when deciding the most efficient and
cost-effective way to manage the risks posed by security to their
business. Most troubling, the research indicates that many companies are
spending increasing amounts on cybersecurity tools, but are not
confident that these investments are making their infrastructure secure.
Juniper Networks believes this dynamic is due to a lack of solid
calculus that considers both the cost of security tools and resources,
and the potential cost of a breach, which by definition is neither
certain nor predictable. CISOs need a way to better understand the
variables that most influence the cost of managing cybersecurity risk
holistically and the different decisions they can make to protect their
organizations. To address this need, RAND developed a heuristic economic
model that for the first time maps the major factors and decisions that
influence the cost of cyber-risk to organizations, which is discussed in
“The
Defender’s Dilemma: Charting a Course Toward Cybersecurity,” the
second report of a two-part series.
With RAND’s model projecting the cost to businesses in managing
cybersecurity risk set to increase 38 percent over the next 10 years,
Juniper believes that the time is now for organizations to start
managing security spending and risk management as a discrete business
function. Just as there are established models that help organizations
understand and achieve their strategic marketing or sales goals and
objectives, security teams need a way to help better understand the
economics of managing security risk, the range of variables implicated,
and what investments should be made to more efficiently protect
infrastructures.
News Highlights:
Juniper Networks believes there are five major factors confirmed by
RAND’s model that companies should strongly consider as they evolve
their security postures:
-
Many Security Tools Have a Half-Life and Lose Value: Attackers
are constantly developing countermeasures to new detection systems
such as sandboxing or anti-virus technologies. This dynamic ultimately
drives up the amount companies must spend on security technologies to
maintain the same level of protection. RAND’s model projects that over
10 years the effectiveness of these technologies that face
countermeasures falls by 65 percent. Companies must carefully evaluate
the new tools they invest in, choosing those not prone to
countermeasures, and focus on improving security management,
automation and policy enforcement across the corporate network.
-
The Internet of Things (IoT) is at a Crossroads: According to
RAND, IoT will have an impact on overall security costs; however, it’s
unclear if it will be positive or negative. If security technologies
and management are properly applied to IoT, companies could actually
see savings in the long run. On the other hand, if companies struggle
to apply security controls effectively, RAND’s model suggests that the
introduction of IoT would increase the losses that companies
experience due to cyber-attacks by 30 percent over the course of 10
years.
-
Investing in the Workforce Leads to Fewer Costs Over Time: Companies
can benefit greatly in making people-centric security investments,
such as technologies that help automate security management and
processes, advanced security training for employees, and hiring
additional security staff. According to the RAND model, organizations
with very high levels of security diligence are able to curb the costs
of managing security risk by 19 percent in the first year and 28
percent by the tenth year when compared to organizations with very low
diligence.
-
There is No One-Size-Fits-All: Companies are likely not taking
the optimal economic strategy with their investments, which should
vary greatly from company to company based on their size, type of
information that exists and the diligence of security staff.
Specifically, RAND found small to medium-sized businesses benefit most
from basic tools and policies, while large organizations and
high-value targets require investments in a full range of policies and
tools given the likelihood that they will be targeted by an advanced
attack.
-
Eliminating Software Vulnerabilities Leads to Major Cost Reductions:
RAND’s model found that one of the most significant security issues
that increases the cost to businesses is the number of vulnerabilities
in the software and applications being used. RAND’s model found that
if the frequency of software vulnerabilities could be reduced by half,
the overall cost of cybersecurity to companies would decrease by 25
percent.
To bring the model to life, Juniper Networks is releasing an interactive
interpretation of RAND’s economic model. This new tool provides
businesses with general guidance on where the model suggests they should
invest their time and resources across the major areas that they can
control in order to reduce the potential costs.
“The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” is
authored by RAND Corporation security experts Martin Libicki, Lillian
Ablon and Timothy Webb and is based on in-depth interviews conducted
between October 2013 and August 2014 with CISOs on the current and
emerging threat landscape. This research builds on the first report of
the two-part Juniper-sponsored series from RAND, “Markets
for Cybercrime Tools and Stolen Data: Hackers’ Bazaar,” which
examined the economic drivers for attackers and the sophisticated
underground black market they’ve created to scale their efforts.
Supporting Quotes:
“The security industry has struggled to understand the dynamics that
influence the true cost of security risks to business. Through Juniper
Networks’ work with the RAND Corporation, we hope to bring new
perspectives and insights to this continuous challenge. What’s clear is
that in order for organizations to turn the table on attackers, they
need to orient their thinking and investments toward managing risks in
addition to threats.”
- Sherry Ryan, chief information security
officer, Juniper Networks
Additional Resources:
About Juniper Networks
Juniper Networks (NYSE:JNPR) delivers innovation across routing,
switching and security. Juniper Networks’ innovations in
software, silicon and systems transform the experience and economics of
networking. Additional information can be found at Juniper
Networks (www.juniper.net)
or connect with Juniper on Twitter
and Facebook.
Juniper Networks and Junos are registered trademarks of Juniper
Networks, Inc. in the United States and other countries. The Juniper
Networks and Junos logos are trademarks of Juniper Networks, Inc. All
other trademarks, service marks, registered trademarks, or registered
service marks are the property of their respective owners.
View source version on businesswire.com: http://www.businesswire.com/news/home/20150610005360/en/
Source: Juniper Networks, Inc.