A data breach can cause a loss of revenue, destroy shareholder value, erode consumer trust and even open you up to legal consequences, whereas better security can add value to a company by preventing attacks, detecting breaches faster and mitigating the damage caused by cyber threats. The Ponemon Institute’s 2016 Cost of Data Breach Study estimates that the average consolidated total cost of a data breach is $4 million; so why do we still view cybersecurity simply as an operating cost?
Unfortunately, cybersecurity is often viewed as the organization that always says no versus the organization that makes the business go. Cybersecurity professionals deal with many paradoxes, for example information, software and infrastructure need to be secure yet usable. Yet usability is often viewed as being negatively impacted by the security measures taken. No organization gets a pass when it comes to risk, so it is paramount that organizations conduct ongoing risk analysis. Fleshing out the impacts and probability of identified risks is essential; however, at the end of the day, organizations are going to have to accept some degree of risk. The only other option is to close the doors and close up shop.
Organizations that have no understanding of their risks are operating in the dark. Businesses must assess their risks and determine their appetite for accepting various risks required to support their business model. With all the technological advances and the seemingly ever broadening attack surface, the valuation of information assets is still foundational to any cybersecurity program. When you’re placing a value on your information, you must gauge what the loss or modification of your information would mean to the organization and its stakeholders. Things like cyber value at risk and cybersecurity insurance to help recover from a data breach are business enablement considerations. Perhaps the most important factor to seeing cybersecurity as a business enabler versus a money pit is communication between the CISO and the C-suite. The CISO must be able to effectively communicate the investments in cyber into business terms. We can’t accomplish this by going down a path of technobabble, but rather, we must put cybersecurity into business enablement terms that resonate with the C-suite.
By David Shearer, CISSP
CEO of (ISC)²