Cybersecurity by the Numbers

Dec. 17, 2018

Nearly thirty years ago, Dr. Larry Ponemon, a security metrics pioneer, started his foundation to perform analyses and research into various areas of what we now call cybersecurity.  A cornerstone of his published works are the ongoing assessments of the imputed cost to business of breaches, cybercrime, and data exfiltration.  When I worked for a security technology vendor, the release of one of Dr. Ponemon’s reports would be treated like a red-letter day in the marketing department. 

Gleefully, the marketers pounded away on their keyboards, producing PowerPoint slides featuring these humongous, eye-watering numbers.  The slides found their way first into the decks used by the sales team, and then into marketing and public relations documents.  Executives and company spokespeople parroted these new talking points to ensure new and potential customers were adequately aware of their huge financial risks based on the Ponemon studies. 

This data represents the classic FUD aspect of a cybersecurity presentation: fear, uncertainty, and doubt.  Whether the presentation was used for sales, research, or just information sharing, they were almost always used in the first five slides of any deck to frame the discussion around financial terms to show the potential monetary impact for not remediating the subject risks adequately.  For a vendor salesperson, the unstated implication was always that any amount the client spent on safeguards that came in even just pennies below the stated likelihood of loss would accrue in their favor.  Basically, if the Ponemon study arrived at projected loss expectancy of $480,000 for a breach for your organizational size, any amount of services and products you bought that came in at or below that figure would be worthwhile.  It should go unstated that’s certainly not how empirical risk management processes work, but the simple formulation of expected annual loss compared to cybersecurity safeguard investments was positioned as a powerful motivator.  It wasn’t.

When we see numbers pop up in a cybersecurity presentation, the first thing we should question is the source and veracity of the numbers.  Especially when they are expressed behind a dollar sign.  Those organizations that slide these figures into their presentations, articles, and pronouncements are all obliged to explain the sources and methodologies to help the audience assess the relevance and accuracy of the metrics. 

My favorite metrics are ones from studies where the respondents are all cybersecurity professionals.  If the results are meant to disclose the perceived importance of cybersecurity in the enterprise, should we be impressed with numbers showing a large percentage of respondents espouse strong support for cybersecurity initiatives?  If I surveyed all the ballet teachers I can find, should it surprise anyone if the results of my analysis showed overwhelming support for an increase in wages for ballet teachers?

Last month, (ISC)2 released its 2018 Cybersecurity Workforce Study showing an encouraging number: 24 percent of our workforce is female.  Just last year, the popular number seen in the media was 11-13 percent.  Naturally, everyone wanted to know what happened in the intervening period.  Are we really making a huge leap by doubling the number of female professionals in just one year?  The answer is far more nuanced. 

It turns out the popular 2017 number of 13 percent was simply extrapolated from a broader information technology assessment that found the participation of women in the IT field was 13 percent.  Many media outlets just grabbed that number and assumed it held constant for the cybersecurity profession.  Most people simply assumed cybersecurity is just a subset of the larger IT profession, and we can all safely assume the attributes are about the same.  It appears the common answer was simply wrong.

The (ISC)2 study can demonstrate its methodology validating the greater accuracy of the 24 percent number.  That’s great news for everyone.  We cannot reach back with any real accuracy, so we must use this number as a starting point and keep a close eye that we are all working to make our career field more inclusive.  It looks like we are already making progress, and going forward, we will reap the benefits if we stay on this path.  More accuracy in the numbers should clarify where we are, and how far we need to go.