Make it real
Companies often look at the easy-to-identify, tangible losses in a data breach, such as the number of records with personally identifiable information. Those should certainly be protected, Mossburg says, but less obvious losses could actually prove costlier.
In June, Deloitte released a report that uncovers 14 business impacts of a cybersecurity incident, half of which are hidden costs, including loss of intellectual property, devaluation of your trade name and lost contract revenue. Those hidden costs can be far more expensive than the initial triage and damage control expenses, and they can go on for years.
In one hypothetical model that Deloitte created based on its experiences with customers, the cost to a healthcare company that lost a significant number of medical records was more than $1.6 billion. Of that figure, only 3.5 percent of the costs were considered “above the surface” tangibles that are generally expected in the wake of a cyberattack, such as post-breach customer protection services and cybersecurity improvements.
When you can articulate a risk that the business and board of directors agree with, then you can come up with a plan to mitigate and manage that risk. — Michael Eisenberg
The remaining 96.5 percent of the costs were for less tangible hits, such as lost customer relationships and increases in insurance premiums. Such “beneath the surface” costs often come as a shock for companies in the post-breach remediation process.
“We need to make this real for people,” Mossburg says. “It’s very important to understand the industry, the nuances to the types of systems they use, their interconnectedness to third parties, the types of data they have, how they’re using it and what that might be.” All those contributing factors, along with the type of incident, make scenarios unique for every company. “We’ve had a lot of conversations [with clients] on what are the scenarios that they should be modeling for themselves,” she says.
Articulating risks is an important first step, says Michael Eisenberg, vice president in the office of the CISO at cybersecurity solutions provider Optiv. “When you can articulate a risk that the business and board of directors agree with, then you can come up with a plan to mitigate and manage that risk” — a plan that includes additional funding and resources, he says.
Writing on the wall
Five years after the Anonymous breach at Booz Allen, Waters still displays a framed copy of the Washington Post article about the attack on his office wall. “For me and my leadership team,” he says, “it’s a reminder that this is never allowed to happen again.”
How the survey was conducted
This special report is based on an online survey conducted by CIO, Computerworld and CSO from March 25 through May 23, 2016, among readers and customers of the three publications who responded to newsletter and email solicitations. The survey explored the interaction of information security and traditional IT teams in enterprises today: Who’s responsible for which security duties, where roles and responsibilities overlap, and what challenges organizations face in aligning infosec concerns with IT strategy and business goals.
Sign up for CIO Asia eNewsletters.