“In The Art of War, Sun Tzu discusses the economic considerations of war, front and center. The business of cyber-security is also an economic game”, writes Gaurav Banga in a clearly-conceived overview of the contemporary threat landscape. The balance of costs and capabilities is presently skewed against the defender. To turn this around requires, first of all, a coherent strategic grasp of the problem, grounded in economic reality. He suggests:
You cannot afford to keep doing more of what you have done in the past, or more incremental versions of this stuff. You have to look beyond Security 1.0. In order to level the playing field, organizations must invest in a strategy that will directly impact the economic costs to malicious actors.
Close your eyes and visualize a heat map of risk for your enterprise. In this picture, every one of your endpoints, enterprise owned or employee owned, client or server, on-premise or cloud hosted, is a little red dot. The size and color intensity of the dot is proportional to the amount of information on the endpoint, and the nature and frequency of Internet interactions that each endpoint has. This is the battlefield!
You are looking for products that reduce your exposure. Your investments must protect your information from unknown Internet programs that run on your endpoints, while still supporting such programs seamlessly. This isolation technology must be simple and robust, like disposable gloves in a hospital. It must be designed such that it costs the adversary significant time and money to try to break through. Ideally, you must also be able to fool the adversary into thinking that they have succeeded, while gathering intelligence about the nature of the attack.
The emerging IoT also has people worried.