You’re out of touch, I’m out of time…
Found a quote through Dan Sullivan (via Mike Rothman) in his post “Compliance is Less Expensive Than Data Breaches” Dan’s post was based on(this) Computerworld article. The quote from the Computerworld article:
Implementing security is cheaper in the long run than having a data breach, which can be expensive and hurt a company’s reputation. Gartner calculates that a data breach costs companies around $300 per exposed account because of investigations, fines and lawsuits. On the other hand, beefing up security costs around $16 per account for the first year, and that cost falls over time, according to Litan.
Oh, if only it were that simple.
If someone tells us that “Breaches are more expensive than your security budget”, you know what our response should be?
Well Duuuuuhhhhh.
That’s the same FUD that stopped working sometime last century. I would hope that everybody’s already figured that one out, and frankly I’d be pretty ticked off if I were paying an analyst firm for that nugget of wisdom.
What most in our industry haven’t figured out is whether the probability of a breach is enough to warrant excessive security spending above and beyond the risk tolerance of the business owner. That’s the job of risk analysis and risk management functions. Speaking of risk and spending…
COMPLIANCE DOESN’T LOWER YOUR RISK, IT RAISES IT
For most people, that is. I’ve been talking about the”compliance feedback loop” recently. In a simple statement:
Compliance, purportedly created to lower risk, has a tendency to actually increase it. And the more compliance I face, the more risk I actually have.
I know that when you think about it, this all seems common sense, but it’s important to note that thanks to FAIR we can actually study the quantitative impact of compliance on risk and develop thresholds at which compliance develops limited return in risk reduction when compared to our investment.
Maybe I should build a little web application that compares investment to risk reduction. I could call it, “Is This Checkbox Worth It?”
When I say compliance, of course, I’m talking about the kind that comes from governments and industry (PCI). You see, in FAIR terms, probable magnitude of loss is developed from the six loss forms of loss:
productivity/response/replacement - competitive advantage/fines & judgements/reputation
So essentially, fines & judgments due to “compliance” will increase the probable magnitude of loss. In real world risk studies, many times that increase is dramatically more than even the sum of the other five loss factors.
Now, if compliance does not significantly increase the strength of our controls to the extent that they significantly reduce the frequency of loss events, then the presence of those fines and judgments are like a self-fulfilling prophecy. If I can abuse the economic term, it’s kind of a controlled market for risk tolerance.
To further abuse economics, excessive compliance to government/industry standards like PCI make incidents more expensive than their “market price”. So when you consider the ramifications - we’ve created a self-propagating industry! Unfortunately like most bubbles that exceed true market values, this bubble will ultimately burst and if you believe the dark, foreboding prognostication, the future for us is either a low level network admin or a legal assistant (more on that future, in a later blog post).
DON’T PLAY THE REPUTATION CARD (IF YOUR AUDIENCE IS SMART)
Finally, I have a really tough time with this statement made in that article:
“a data breach, which can be expensive and hurt a company’s reputation.”
Really? I’d love to see empirical data that suggests a breach, any breach, resulted in long term reputation damage (measured in sales volume or stock price, of course) for a B2C company.
Speaking of data, risk and studies - tomorrow let’s tackle the “ajillion% of all attacks are from insiders” from a risk standpoint - shall we?
Tags: gartner, compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
July 03, 2007, 11:36am Comments
