In Making Business Sense of Technology Risk, I refer to studies conducted by the Ponemon Institute and sponsored by IBM Security.
Their latest Cost of a Data Breach Report again has some useful information.
You may be surprised to hear that the average cost of a data breach is just $3.9 million. That sounds far different than indicated by the alarm bells screaming at you from all sides. Healthcare costs are typically much higher than average. They are where the ‘megabreaches’ have typically occurred, although large companies in financial services and retail have also suffered huge public disasters.
Does it make sense to invest tens of millions of dollars or more when the average cost is relatively low?
That’s one of the issues tackled in the book. For a start, while the cost may appear low, the disruption to the business and its impact on customers and partners may be much more significant. A small out-of-pocket cost may hide the fact that significant enterprise objectives will now be much harder to achieve.
Another challenge is that resources to invest are limited. How does the leadership of an organization decide whether to invest in cyber, a new marketing campaign, an upgraded product offering, or to reduce supply chain risk?
Another factoid in the report is that despite advances in detection, the average time to identify and contain a breach remains unacceptably high: 279 days. In addition, a breach can have significant effects that last two years or more.
One of the problems with studies and discussions around cyber is that this is only one of several sources of risk to enterprise objectives. To understand the likelihood of achieving a business objective, you need to consider all related sources of risk.
Unfortunately, neither COSO nor ISO (nor anybody else to my knowledge) has provided practical guidance on this challenge of aggregating disparate sources of risk to a single objective, nor shown us how to weigh that aggregate against the upside.
Maybe that will come. In the meantime, perhaps my book will help.
I welcome your thoughts and comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.