The Cost versus Risk of a Security Breach Conversation

The Chief Information Security Officer (CISO) and the Chief Risk Officer (CRO) generally speak in different languages. One speaks about how to secure an organization and its assets. The other speaks about the potential of losing something of value. One area where they find common ground is in the shared conversation of the Cost versus Risk of a data breach.

A data breach costs an organization in the US on average $201 per stolen record.[1] The risk of a data breach is a number between 1 and 10 that indicates how at risk your organization is.[2] The cost of implementing security measures and controls ranges based on the acceptable levels of risk an organization is willing to take.

This is the conversation that needs to be mastered in order to communicate the need for more resources to Chief Financial Officers and the rest of the C-Suite.

As organizations conduct vulnerability assessments of their IT landscape, they get a sense for how at risk their environments and systems are of being breached. Yet, in many cases, these vulnerability tools have significant blind spots when users replicate data to applications and systems that are not within reach of their assessment tools. This requires the addition of a data-centric approach to classifying, categorizing and measuring the value of data and its potential risk.

In the Informatica Secure@Source launch event, Larry Ponemon of the Ponemon Institute describes during a panel session how great it would be if there were a tool that could tell you ‘ here is the risk of the data’ and ‘here is the cost of that risk to the organization’.  That is exactly what Secure@Source was designed to accomplish.

If you are unable to view the video, click here.

Security teams are not surprisingly consistently under-resourced.  Teams are constantly responding to alerts and intelligence feeds which causes a cry of need for more resources. Yet, if these teams had a view into where the data was most at risk and could focus their energy on prioritized assets that if secured at the source would eliminate downstream risk, they may find their world less overwhelming.

[1] http://www.ponemon.org

[2] http://breachlevelindex.com

Comments