May 24, 2017
By Steve Conway, Hyperion Research
It’s no secret that the cybersecurity (encryption/decryption) needs of the WWII Allies helped spawn the computer industry, or that intelligence agencies in many countries continue to rely heavily on high performance computing (HPC) for their cybersecurity work.
What about the private sector? In the past two years, IDC’s HPC team (now called Hyperion Research) has conducted major studies on cybersecurity practices in the U.S. private sector, with special attention to the roles of HPC and big data analytics. The findings are both sobering and promising.
Our studies on the cybersecurity practices of U.S. businesses revealed a spectrum of attitudes and approaches to the growing challenge of keeping corporate data safe. While the minority of cybersecurity “best practitioners” set an admirable example, the findings indicate most U.S. companies are underprepared to effectively deal with potential security breaches from outside or inside their firewalls. There is a frequently cited belief among the interviewed firms that a breach is inevitable, yet many seem content to wait until then to focus harder on cybersecurity.
“It can take two years or more to detect a successful breach—meaning companies may already have been breached without realizing it ...”
— Steve Conway, Hyperion Research
The findings imply that the U.S. private sector is more exposed to cybersecurity threats than it needs to be, given the best practices that are available today. The situation will improve substantially only in response to more pervasive, serious breaches—and it’s clear that breaches are becoming more frequent and damaging.
Highlights of the Studies
- Rated best at cybersecurity are large firms in the financial services, retail, life sciences and technology sectors. Among the worsts are universities and hospitals.
- It can take two years or more to detect a successful breach—meaning companies may already have been breached without realizing it—hence their biggest emphasis typically is more on forensics, to identify and respond to breaches, rather than on prevention.
- The worst practitioners value access to data and business continuity above security. To protect against breaches, they up their insurance coverage rather than improve security. This transfers financial risk but does little to safeguard the companies’ most valuable assets—their reputations.
- A more typical approach is to benchmark your cybersecurity defenses only against those of your direct competitors, in the belief that being harder to breach than rivals will likely ward off cyberattacks. This is akin to the camper’s argument to his companion: “I don’t need to outrun the bear; I only need to outrun you.” The problem, of course, is that some attackers are “smarter than the average bear” and are not focused only on your industry and may not be motivated by anything other than an easy target.
- The best practitioners view cybersecurity and the risks it poses to their businesses far more seriously. They tend to see it as a talent contest that pits the attackers’ brains against the best cyber minds in their company. They pay top salaries for the best cybersecurity talent. They quantify the risk associated with potential breaches and use that information to argue for adequate funding for cybersecurity. They value processes, including clean desk policies, employee training and frequent penetration testing, far higher than software or other defensive tools. Most importantly, they have detailed plans in place for responding to a serious breach, including communications procedures that map out who contacts whom (including the media) in what sequence, how to use replicated data needed for business continuity, and so forth.
Fortune 2000-class cyber teams reported that, in the past two to three years, they have evolved from “sleepy village” operations to busy, mission-critical enterprise units driven by escalating cyber threats. They have had to come up to speed quickly using proven tools and approaches. Few teams have had time to investigate and implement newer advanced analytics (“big data”) capabilities. Almost no one had used advanced analytics for cybersecurity long enough to measure its effectiveness.
Nevertheless, most respondents expect to use big data capabilities for cybersecurity in the future (a few already do). Dell EMC and some other HPC vendors have developed solutions to serve this high-potential market.
Steve Conway is senior vice president of research at Hyperion Research.