I couldn’t stop thinking about the plight of some CISOs and CIOs as they struggle (incessantly) to justify the cost of cybersecurity initiative. While on a return flight back to my base I decided to pen this down in hope this would help at least one executive as they do what they do best – protecting critical information assets. Please read and share.
Estimating the monetary value of information has been a challenge for most CIOs, CISOs, CTOs and broadly, the entire organization that deals with certain information or record, be it customer master record, vendor master data, personnel information, banking information, or other stakeholders’ data. This difficulty often results in poor funding of any protective mechanism proposed or recommended by the security or information c-suites. Interestingly, the personnel in charge of approving project funding oftentimes preferred quantitative implication of inaction, rather than conceptual explanations that is shrouded in abstract. Therefore, it is in the best interest of the security executives to adopt both quantitative and qualitative techniques to justify the proposed investment in cybersecurity. Perhaps, a debate about the financial classification of information as a current or fixed asset would further help conveying the right message to the project sponsors or help the board allocate resources needed to secure the enterprise information assets. Allocation by utilization might probably be one of the formulae to consider in this regard.
In this article I made a case for adopting quantitative and qualitative techniques to justify cybersecurity investment however, I must admit that the strength of this paper might be limited by some assumptions and hypothesis, which may differ by certain factors such as the industry verticals, nature of business, and others, but such considerations , in my opinion should not weaken the argument and recommendations of the overall article.
Until now, handful of companies truly understands and appreciates the act of keeping information safe and secure. Even those in support of adequate funding of cybersecurity initiatives did so due to a compelling legislation like Bill 198 or Digital Act, and regulatory requirements like HIPPA, PIPEDA, audit requirements, or as a reactive approach to security incidence. Unfortunately, if you cannot put a figure or digit to an incidence or justify the quantitative value of information assets, it would be harder in today’s business environment get a listening hear of the funding approvers. The central point of my argument is that having enough mathematical explanations for investing in security initiatives would lessen the burden of justifying investment in cybersecurity.
While it is true that, virtually all institutions and establishments have heard or notified about the dangers of the perilous times in the world of cybersecurity, we cannot be confident those warnings resonate with the top executives until they fully comprehend the inherent value or possible returns of protecting information at cost. The truth is, most organizations are not necessarily bothered about the security of information assets until there is a security incidence (reactive approach). How many times have we heard the phrase “if it has not broken, don’t fix it”? Who could have thought though, that the act of keeping an enterprise information and lifeline of their business safe and secure would attract such a contentious debate?
Sadly, the finance, procurement and logistics, HR, manufacturing or production, sales and marketing are rated higher in investment priority and easily (and overwhelmingly) received the endorsements of the board for more money but, security of the entire organization including those departments aforementioned only received a small “donation”(if at all) due to a complete lack (or absence) of understanding, and insights into the critical role of security and the potential impact of an attack. In my previous article, I laid out the cost of cyber-attack from the shareholders’ perspective, but I realized many CISOs, CIOs, security management are often on the defensive mode, when the issue of cost justification or budget allocation arises. As a result, I have outlined below some of the quantitative and qualitative techniques to justify investment in cybersecurity initiatives. But, before we get in there, can someone put a value to the cost of a piece of software or application with security loopholes, gaps or errors?
Customer-Centric approach: An organization grosses $250 billion per annum from its worldwide income, deals with vast base of online and offline consumers say, about 50 million, and exists in a competitive market. For argument sake, each customer accounts (by purchases) for certain amount of the company’s revenue say, $5000 annually. Now, due to Advanced Persistent Threats like Network break-in, or Denial of service, the information of these customers was obtained by the close competitor and within a twinkling, your competitor start contacting your customers offering a much better deal that could save them up to, $750 on their annual purchases. Out of your 50 million customers, 5 million have just been lured by enticement, while others are considering a move. Now let’s do the math: 5 million customers multiplied by $5000 equals $25 billion. That’s how much you have just shed to your competitor(s). Now, let’s analyze this further: you have just realized the implications of your security negligence and must assure your customers of your seriousness about their plight by offering them some form of incentives ranging from credit alert monitoring (like Equifax did), or a discount on their next purchases. Conservatively, you could offer as much as $300 per customer to monitor their credit information or offered an average of 10% annual purchase discount. Now, that would account for an average of $15 billion in credit monitoring (assuming there was no deal with credit monitoring firm), or $25 billion in discount. Either way, the organization have lost that much in revenue, noting the potential lawsuits or class action have been exonerated from this analysis. If the simple analysis stated above failed to get the attention of the top guys in your organization, I suspect the following might help.
Hackers’ method: how do hackers monetize information they have stolen from the network, or maliciously obtained by phishing attack? Considering the recent ransom payments by the victims of cyber-attacks, you would wonder whether the bad guys are probably the best at providing the money cost of an information record. They seem to have mastered the quantitative techniques of valuating information and often used the rating approach to make their demands. How critical is the information? Does it attract value, or can it be embarrassing to the organization or propels a lawsuit? How damaging could it be if it gets to the hands of the competitors? Those are possible considerations organizations must account for, while justifying investment in cybersecurity initiatives. The rating I am proposing ranges from 1-5, each with certain cost based on the market valuation. Perhaps, the opportunity cost of inaction should equally be considered.
Legal justification: I have found the use of legal precedents effective in explaining an investment into cybersecurity. The settlement cost of class action lawsuit can be exorbitant and proportional. Thus, employing some of the decisions by the court to provide the context for quantitative justifications can be an eye-opener for a recalcitrant audience. I have provided some cybersecurity cases or precedents below.
Condon v. Canada, 2015, the plaintiff alleged the lost USB key and hard drive leaked or negligently disclosed personal information including, SIN, DOB, address and Student loan balance to the public. The plaintiffs claimed the incidence affected 583,000 users and sued for breach of contract and trust. The court has certified class action for some of the claims, while the other is being returned to the Federal court for hearing and appeal. Considering other decisions by the court, this case could well run into several millions.
Sofio C. IIROC, the class action suit was brought on the allegation that the defendant lost unencrypted laptop, which comprise of information of 52,000 clients. The claim was $1000 per individual. Now, multiply that by 52,000 and we have a whooping $52,000,000 in cost to the defendant. Although the court earlier declined to certify class due to lack of actual harm, but on appeal and citing Mazzonna v. Daimler Chrysler, 2012, the court decided moral damages were deemed to potentially constitute “actual harm.”
Home Depot, 2014, the plaintiff alleged that the hacking incident affected 56 million people and sought for a damage compensation (on class action) to the tune of $500 million. impacted names, phone numbers, home addresses, credit and debit cards, PIN, expiration and passwords for 700,000 Canadians, then sued for negligence.
Above are some of the methods organizations may adopt to justify investment in security, but there are other qualitative techniques such as, impact to reputation, loss of confidence by stakeholders, impact on stocks performance (also qualify as quantitative), and many others.
I am confident of a shift in approach and better days for Cybersecurity Execs as new knowledge about monetary implications of cyber-attacks gained recognition and sustained momentum.
Yomi Olalere, LLM, CISM, CISA, CRISC
Abaster Consulting Inc.
Member, 2019 International Cybersecurity and Intelligence Conference