Last week we wrote about a Deloitte study that estimated the potential hard and soft costs of a data breach to an organization over several years. The point was to show that less visible costs — loss of customer confidence and brand reputation — could have a long-lasting impact on an organization.
But what should chief risk officers do with these and other reports? Think carefully, according to an article today on Security Week.
For one thing, it notes there’s no consistency in cost of breach reports. In fact the European Union Agency for Network and Information Security (ENISA) released a report earlier this month that reviewed studies that try to do a calculate the costs for critical infrastructure organizations and concluded its damn hard. On the one hand it found evidence that the finance, ICT and energy sectors would suffer the highest costs, it also admits there’s no common approach or criteria to cost of breach estimates. Any calculations use “rarely comparable” approaches that are often only relevant to a specific context.
So can cost estimates be used in a risk mitigation policy? The Security Week story suggests they have limited value to CROs. The chief security officer at Samsung Research America is quoted as saying such calculations are always subjective. In his firm’s case the big assets are intellectual property, whose loss isn’t easy to put a price on. His goal is to mitigate the effects of a breach, he points out. So he works on that, rather than the cost of a breach.
That is echoed by another expert, who says CISOs need to look at the value of assets in their own organizations to make a risk assessment, rather than use third-party averaged estimates.
The article also usefully points out there’s a difference between the estimated cost of a breach and the risk of a breach. But it also quotes an expert saying that cost calculations are “good instruments for practitioners to raise awareness and kick off an internal discussion to move from a compliance, check-box mentality to a more pro-active, risk- and business-driven approach to security.”
And talking about security across the entire enterprise is always a good thing.