RAND study: Cyber-defense must change course, or else

Let’s get this out of the way: Defense isn’t sexy.

We mythologize being the hacker, not the hacked. That will never change, but in light of RAND’s new report The Defender’s Dilemma, something’s got to give — or else.

Under Juniper Networks, RAND today released the results of its multiphased study of the future of cybersecurity, The Defender’s Dilemma: Charting a Course Toward Cybersecurity.

The study isn’t as sexy as their previous report, Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar, and it won’t grab headlines like its predecessor.

But for an attack landscape nerd and cybercrime junkie like me, the new study is actually more alarming.

The entire report is a bucket of cold water as to how unprepared, confused, and unsupported the people are whose job it is to protect your data.

RAND flatly states that today’s combination of skyrocketing cybersecurity spending and its “questionable success” creates a setup in which “security efforts cannot continue on this course.”

For the sprawling 162-page study, RAND “interviewed [18] chief information security officers (CISOs), reviewed the cybersecurity industry’s slate of cutting-edge products, and assessed the struggles of the software industry (and its foes) to make or (alternatively) break secure software.”

With estimated worldwide spending on cybersecurity approaching $70 billion per year, growing at roughly 10 to 15 percent annually (with no deceleration in sight), and a serious breach in news headlines practically every day … the problems with defense demand answers.

RAND’s Defender’s Dilemma finds answers, and they are uncomfortable.


Some of the initial findings in Defender’s Dilemma won’t surprise anyone in the security sector. Yet the report provides solid ground for certain already-present beliefs, like that cyberinsurance is a dubious investment, and that no one really knows what to do with threat intel.

Source: ZD Net

. . . . . . . .

Print Friendly, PDF & Email

Leave a Reply