Greg Young of Gartner posted here about the sorry state of security – but is that really the case?
Before there was postal mail, all fraud and scams were done in person. Of course, there were a lot fewer transactions because everyone had to be near each other to transact. Once postal mail came along, mail scams followed and fraud went up – but transactions went up faster.
Once the telephone came along, telephone scams came about and grew tremendously – but transactions grew faster. As soon as they had office phones, employees started calling sex lines and accepting calls from fraudsters – but business use of telephones increased the business bottom line faster. When the mainframe penetrated businesses, users and admins found ways to access and misuse data – but the business value went up faster.
Once dial up modems came about, computer scams and viruses started up – but business value went up faster. Once high speed Internet/wireless LANs/Web 2.0/etc. etc. happened, more malware/viruses/scams/fraud – but transactions go up faster. And so it goes.
The total number of attacks or malware is meaningless – its all about the percentages. If the number of people with a disease increases 5% but the total population increased 10%, is the problem getting worse or getting better? Online commerce has lead to an explosion of exposure incidents, but a bigger explosion in revenue.
In many industries there is decades of evidence that loss of revenue of roughly 2-3% due to crime and fraud is typical. That loss is generally equally split between the actual loss of of revenue and the cost of the controls required to keep the loss at that level. As new forms of fraud come up the number goes up a bit, then the controls are adapted and the total loss of revenue stabilizes again.
Technology, threats and businesses are not going to stand still and users are not going to become security experts in the cyber-world any more than this has occurred in the physical world. Heck, Bernie Madoff ran the oldest scam in book and took people for $50B – and really didn’t need a single computer hack to do so.
Its all about getting more efficient (consuming less resources) to deal with the old threats and getting more effective (applying resources more quickly) in dealing with emerging threats – that’s how we get things back to an acceptable level of impact to the business bottom line. Businesses that get out of balance in either direction (avoid attacks but reduce business too much/incur too many attacks but no business restriction) both have unsuccessful security programs. The total number of threats in the universe or the total number of column inches publicizing attacks are for entertainment purposes only.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.