Business Managers always have difficulty in appreciating the need for investment in Information Security. Money is always a scarce resource in any organization and there are always competing demands. Managers often prefer a marketing investment against an IS investment since the benefits of a marketing activity is more visible and are often immediate.
An investment in IS is however meant to prevent an adverse incident and if it is successful, then we may often not recognize the benefit. No body may recognize that there was in deed a threat and it was prevented because of the IS investment. Even at the initial decision making stage, it is difficult for the business manager to appreciate why he should invest in IS when there has been no adverse impact on the organization in the past.
In the light of this dilemma, it is interesting that the Ponemon Institute has released an eye opening 2014 survey report quantifying the cost of data breach in India. Though the impact of a security threat may differ from one organization to another, there are certain observations in the report which every manager needs to take note.
For example
1. The survey points out that the cost of data breach in India increased by 31% in the last year from RS 2271/- to Rs 3098/-. This is cost for one lost or stolen data. In actual practice, whenever there is a data breach incident in an organization, data is lost in large numbers. The average total organizational cost according to the study therefore is reported to have increased by 32% from Rs 6 crores to Rs 8.3 crores.
If therefore there is a probability of one breach in an organization, then the cost would be around Rs 7 crores. It should also be remembered that the cost of loss in the Financial Sector such as Banks is nearly twice that of the above average.
Hence one breach is all that it takes to close down a business.That single killer breach can occur any time because there are a number of threats lurking in the environment and a number of unattended vulnerabilities in the organization. It can also occur because a company has a lakh employees and any one of them can cause the breach for various reasons including negligence, lack of awareness and malicious intention.
Every company has to therefore check if they have the ability to survive even one breach incident if it occurs in their organization. If not, then they should not argue on the investment required in mitigating the risk even if the risk mitigation may not guarantee 100% elimination of the risk.
2 The survey observes that customers abandon organizations at a higher rate following the data breach. It is natural that customers do abondon organizations if a security breach in that organization puts the customer’s own business at risk of loss. On an average the customer turnover after a data breach increased by 11%. Marketing personnel who compete for investment from the IS department should consider that they need to get that much more of new business to protect their revenue if they try to snatch investment from the IS departments. In financial terms, the average cost of lost business costs increased from Rs 1.53 crores to Rs 2.01 crores during the year.
3. The study also goes on to state that the cost of data breach can come down by around 9% merely by appointment of a CISO. It can also come down further by around 12% with a good incident response plan, another 20% by a strong security posture and Business Continuity program. In other words the study predicts that around 40% of the cost of data breach can be brought down by simple IS measures and there in lies an indication of the ROI on IS investments.
These figures must be sufficient for any business manager to understand that cutting investment in information security does not reflect prudence.
Naavi
