I have been talking with others and doing a lot of thinking about infosec and economics as of late. When you read reports such as the Verizon Breach report or talk to security professionals they will tell you that the motivators behind attacks today is largely economic. They will tell you we are no longer are seeing the script kiddie out trying to make a name for himself but that the world of hackers is dominated by cyber gangs and nation states motivated by economics and politics. My question today is focused around this very point. If they can see the economic value in security why can't industry?
I understand that it may be an inverse correlation. For the attacker they are working with a business model where they may be selling a product such as compromised systems or stolen assets. For industry that inverse value should compute to a significant tangible value. How do you show the CFO's of the world that there is a definable value to recovered CPU cycles or to data that does not walk out the front door. These may be abstract values but placing a value to these abstract tangibles is an important challenge for the security professional. The attackers have been able to accomplish this task. They have been able to take the CPU cycles that they are stealing and find a way to sell them. We need to find a way to sell the CPU cycles that we are recovering and sell them back to the CFO's of our companies.
When we can stop working to compliance and stop relying on regulations to set the values of these items and find a way to correlate dollar values to the data and assets that we protect then we will be more effective at motivating our senior administrators to back security.