A new report by Intel Security has revealed that there is a significant gap between strategy and implementation of cyber security measures, allowing hackers to beat the defenders and capitalise on their malicious actions.
The report shows three key areas in which misaligned incentives are advantageous to cyber criminals. The first is between fluid attackers and bureaucratic defenders; between organisational strategy and real-world implantation; and between executives and implementers who measure success differently.
93 percent of organisations included in the survey claimed to have a strategy for cybersecurity, while only 49 percent had actually implemented the strategy.
The report shows that executives who are structuring and laying out the plans for cybersecurity are lacking synergy with the defenders who are facing the cyber-threats head on.
The gap between executives and those on the frontlines is a key area outlined in this report, as 60 percent of IT executives believe their cybersecurity strategy is fully implemented, while only 30 percent of IT staff agree.
Executives setting fixed plans of action for cybersecurity appear to be aiding the formidability of attackers, as the report found that bureaucracy and top-down decision making limits the capabilities of those defending.
The report also shows that attackers who thrive in a fluid, decentralised market are capable of easily side-stepping rigid strategies agreed on by executives that are detached from the action.
The problem unearthed in the report leads to the conclusion that IT staff need to be allowed the freedom to take on the attackers unshackled, while also having their goals incentivised.
Candace Worley, vice president of enterprise solutions for Intel Security said: “The cybercriminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools”.
“For IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value.”
Denise Zheng, director and senior fellow, technology policy program at CSIS said: “How governments and companies address their misaligned incentives will dictate the effectiveness of their cybersecurity programs. It’s not a matter of ‘what’ needs to be done, but rather determining ‘why’ it’s not getting done, and ‘how’ to do it better.”