Читать книгу The Security Culture Playbook - Perry Carpenter - Страница 9

For decades, security programs focused on diligently deploying technology-based defenses aimed at keeping cybercriminals at bay. The industry focused on firewalls, intrusion detection and prevention systems (IDSs/IPSs), endpoint protection platforms (EPPs), secure email gateways (SEGs), and more. In truth, the technology has gotten very good. Despite all the focus and spend on security tools, however, the data breach problem is not going away. In fact, it's accelerating faster than the industry can effectively manage via traditional approaches. Figure 1.1 analyzes the amount of money spent on security products since 2007 versus the number of data breaches that occurred each year. The conclusion is clear: The current industry approach is not working.

Figure 1.1 Organizations globally have invested massively on cybersecurity, yet breaches continue to increase.

And here's where the buzz about security culture comes in. Leaders are realizing two things:

 Technology-based defenses have gotten so good that attackers are being pushed to hack humans rather than spending weeks, months, or years researching and developing effective attacks to defeat technology-based defenses.

 Humans are now the primary attack vector. As such, it's imperative to strengthen the human layer of security.

These two realizations (illustrated in Figure 1.2) have led to a growing interest in human layer defense. This isn't to replace any of the technology-based layers—those are still needed. But this is to strengthen a much-needed additional defensive layer.

Figure 1.2 Hacking the human yields the highest ROI for attackers.