Relationship status: "It's complicated"

#169 - Why would something that should be inversely proportional, be directly proportional?

Dec 04, 2024

The data is confusing. What gives?

As 2️⃣0️⃣2️⃣4️⃣ draws to a close and we look at 2️⃣0️⃣2️⃣5️⃣, I thought of doing a rather different post. How has the cybersecurity industry moved over the last few years? Did we do something meaningful over the last, say, 5 years?

What is the Year of the Snake 🐍, going to bring for us cybersecurity professionals? Will we see the reality of the rope and the snake? Or will we continue to live our lives merrily?

The Data

Before we discuss the implications of the line chart 📈 above, here are the sources of the data:

The costs of cybercrime is from Cybersecurity Ventures.
Cybersecurity market size is from Spherical Insights and envision intelligence.
The active devices is taken from Statista.

What does the chart mean?

The interpretation makes the imagination boggle perceptibly, as P G Wodehouse would say.

Cybercrime is growing. (I have reduced cybercrime numbers by a factor of 10 to make them more legible in the chart). But, so is the spend on cybersecurity.

Logically, they should be inversely related. When one 📈, the other should necessarily 📉, right?

That does not seem to be the case. No need to panic, yet. The growth is because the number of assets being protected is also growing phenomenally, right? If we just factor in the phenomenal growth of assets, we can justify both investment in cybersecurity and cybercrime growing.

So, I added another dimension - the number of active devices (laptops, desktops, mobile devices) to the equation. This did not help in any way.

I wondered if I was missing anything. IOT and OT!! That’s the missing piece. That market is 💥. If I just add active IOT and OT devices, I can justify the chart. I looked up the data here. The market for OT/IOT is doubling — from 10 billion to 20 billion devices. If I factor that in the chart, this is how it looks:

Barely any difference!! A slight need to panic. Wait! The data must be inaccurate. That’s it!! Whew!! 😌

Let’s cross check the data sources for reliability. The reliability of the data is definitely questionable, but that would account for about 20% change here and there at the max. So, this chat is reasonable accurate.

When you eliminate the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes

The only logical explanation remaining is that the cybersecurity market is proving to be ineffective.

When you think about it, it starts to make sense. Complete panic! We sell point solutions to fix symptoms, not the root cause. We never align with the ORM / ERM frameworks (because cyber is different, no?). We are not able to create a culture of risk based decisions and our leaders (CISOs) do not have a seat on the table.

We squander away our budgets on the next shiny new tool and spend inordinate amounts of time and money on complying to the next new regulation without getting it aligned to our business. We have bloated policies that no one can understand and complex SOPs that no one wants to follow. Our audits are frivolous and our metrics are a joke…

I was being cynical. On purpose.

However, it is time to take a deep, hard look at the effectiveness of our cyber investments. One question really begs an answer:

Are we putting our money where our risks ☣️ are?

As I take a break for the year, I too, will mull over this. I will mull over how CyberInsights can add more value to all of you and help you take better decisions.

Wishing all readers a Happy New Year in advance. See you on the other side!!

CyberInsights