Why CISOs Should Care About the RAND Corporation’s New Cybersecurity Research

By Elevate posted 06-10-2015 00:01


When it comes to cybersecurity, the industry has always struggled to understand the complexities that influence the true cost of security risks to businesses. As a chief information security officer (CISO), I’m faced with these multifaceted dilemmas daily and, just like others in the industry, struggle to determine the best security investments to protect a company’s valuable assets. Realistically, how can I predict what the landscape will look like five or 10 years down the road, or even, a week from now?


CISOs need greater insight on cybersecurity threats. Our job is to keep our organizations safe. Additionally, we must ultimately demonstrate to the larger C-suite how vital it is to properly secure the network and illustrate the importance of effective cybersecurity investments. What we’ve needed to really make these conversations impactful is a framework of sorts, a customized strategy and recommendation on where to allocate our security spend.


In an effort to address these needs, Juniper Networks engaged with and sponsored economists and security experts at The RAND Corporation to conduct research exploring the major factors and influences on the costs of cyber-risk to organizations. Last year, we worked with RAND on a study that examined the economic realities for attackers and found that cyber black markets have reached unprecedented levels of maturity. Now that we had a clearer picture of the threat landscape, we turned the tables and analyzed the economic realities for the defenders.


The findings helped us better understand the dynamics of the costs associated with cybersecurity, and map the economic drivers and challenges of defense. RAND suggests that many companies are likely not taking the optimal economic strategy with their investments, falling behind when it comes to security yet investing more in defense mechanisms and not feeling any more secure. Hence the economic calculus for attackers is clear, yet the defense faces a much more unclear and chaotic environment.


Trying to keep pace with the latest cyber threats and worrying about what may happen next keeps many CISOs up at night. However, by taking a small step back and refocusing on managing risks as opposed to attempting to only manage threats helps provide a clearer path forward. Determining a plan isn’t easy. Deciding how to allocate security investments properly and accurately across a business is no small task – believe me, I know. Fortunately, now I can say we have something that can help start such conversations.


RAND took its research and developed a first-of-its-kind heuristic model that can be leveraged as a learning tool to better understand the major factors that influence the costs of managing security risks, how to determine the best investments, and overall provide the knowledge needed to manage cybersecurity risk holistically.


To bring this model to life, Juniper Networks developed an interpretation of this heuristic model, creating an interactive tool that takes key elements of the model and provides directional investment guidance. This provides CISOs with a starting point to directionally understand the various decisions that can be made to protect their organization and decide where to direct attention and investments.


With RAND’s model suggesting the cost of managing cybersecurity risk is set to increase 38 percent over the next 10 years across all types of businesses, now is the time to start better managing security risk and systematically determining where security investments should be made to create a more secure network.


If you’d like to learn more about the RAND research report and the major influencers of cost, visit




07-10-2015 11:34

important work quantifying impact and then giving roadmap to find appropriate solutions

06-22-2015 20:39

Thank you!


Very well written article and the most important subject, I think.