In the quest to get attention from potential customers, I see a number of vendors pushing out reports and research on security. I admit, I am no better, in that my company does the same sport of putting out interesting work for others to download and comment.
In the past few weeks, a number of reports on breaches and who causes them has hit the media. One such report made the claim that 74% of all breaches were due to external actors, and pointed to hackers etc. The same week, another report, from a different company, claimed that 74% of all breaches came from insiders, meaning people inside the organization or their extended value chain.
I am a lover of numbers myself, and the use of statistics and percentages are not uncommon for me, nor is it so for my team. Yet there is huge discrepancy between two reports, reporting on the same topic with wildly different findings – as in the case above. The funny thing that is most likely, is that their datasets will prove both of them right. How can that be?
There are a number of reasons why – from the production of the datasets, to the industry sector, to the questions asked, and the products sold.
More important that why, is the impact these kinds of reports have on those reading them - confusion. Most of us just want simple answers, easy and quick answers. Those that can help us make the decision we need.
Confusion is not helping: confusion results in questions, not answers. Here are some questions I have after seeing the two reports, admittedly just briefly:
- Whom is it – insiders or outsiders – those people causing those threats?
- Is all the noise about the insider threat just that – noise?
- Do we really have no valid data to tell us whether the threat is from outside or the inside?
- In these times of big data, surely someone can tell us?
- Do we really (not) know?
This quickly leads to desperation and despair – if we don’t know, how can we fix the problem?
The challenge here is in the way we discuss and promote our own agendas. Some are driving the insider threat bandwagon, either because they have a product fit, or because their marketing team think it sounds nice.
Others are driving the outside threat bandwagon, again due to product fit, interest or even politics. These are not mutually exclusive, they can and will co-exist in most industries.
What I would like to see more of as we go forward are nuances. It is easy to make a “74% of …” claim – everyone and marketing can do that. Instead, let us have reports discussing the difference between industries where one can have 74% outside threats, and another can have 74% inside threats.
This level of detail will not only be of more value to the reader, they are more likely to drive industry specific information, thereby informing policies and driving relevant change.