Op-ed. Infosec numbers don't add up: we need better training, standards, accountability.
http://cdn.arstechnica.net/wp-content/uploads/sites/3/2016/06/infosec-2015-640x426.jpg
by Rupert Goodwins - Jun 9, 2016
To listen to the vendors of business information security services and products—universally known by the faux-cool, quasi-spy name "infosec"—there is safety in numbers, as long as those numbers are big enough and on the bottom of a purchase order.
Walking around Infosecurity Europe 2016, ”Europe’s number one information security event" according to the organisers, you can see the results of this strategy: nearly 400 exhibitors, offering a grab bag of intruder detection, inside threat analytics, bad actor exclusion, malware screening, phishing and whaling protection, and many more, in exchange for their slice of the $80 billion (£55 billion) global infosec budget.
Read the real-world news, though, and the numbers don't seem to add up. Major security breaches and consequent customer damage seem to happen every day—but that’s not an accurate perception. With some 65 percent of companies worldwide reporting attacks getting through, the true daily rate is probably in the high hundreds of thousands. Factor in attacks on personal IT, and a breach rate of around one megacrime per day may even be low-balling it.
Full Article
