Data breach calculations fail to pay off

Agonising over the potential cost of data breaches is a distraction and a pointless exercise, says Anders Pettersson

Organisations everywhere are trying to weigh the risk of a data breach against security investments, but those calculations may not be worth the effort, says Anders Pettersson.

With data breaches regularly making the headlines — from the Home Office to NHS Education for Scotland — it is right that the protection of information is taking centre stage.

But the problem is there are so many reports on what a data breach could cost an organisation, too many hours are being spent trying to assess the return on investment (ROI) of any security deployment. Such calculations will only be a frustrating, time-wasting and ultimately fruitless exercise.

Value of data
Trying to quantify the cost of a breach is fraught with challenges, not least because there is so much data to assess and each piece of data has a different value to the organisation.

But it is not simply the value of data that is hard to quantify. Assessing the likelihood of losing the data is also tricky. On top of all that, the impact of an individual incident can be difficult to assess, as there is nothing to use as a benchmark for analysis.

Security ROI has always been difficult to calculate successfully. In the absence of data on the number of incidents, organisations are often obliged to make estimates.

The range of potential threats leave end-users perplexed — from HSBC getting fined £3m for a breach to 'dud' incidents, which pass by undetected and do not expose data because, for example, a mislaid device is never found.

All lost data does not blow up in your face and cost £3m, but the repercussions do depend on the data lost. If the loss involves data records of clients, customers or employees, it is sometimes counted as breached data. If it is a PowerPoint presentation, you may incur no real cost beyond embarrassment.

Adding to this confusion is the amount of fear, uncertainty and doubt being peddled by security companies. They may not be fabricating the threats, but their cost is being exaggerated to unrealistic proportions. Because of the complexities of calculating costs and risk, one frequently encounters the opinion that 'it won't happen to me and even if it does, it'll probably go unnoticed'.

These days, IT directors have enough to deal with as they face pressure to do more with less and enhance competitive edge with IT. Making unrealistic claims that are not going to be taken seriously helps no-one.

We must be honest and simply tell organisations to stop trying to work out the ROI of security investments based solely on the cost of a breach. Go with your gut feeling.

Endless calculations
Is it irresponsible to listen to your gut feeling? Well, no. You can build your argument based on these judgements, but do not let them be your full argument. If you really reflect on why security is important, you will not fly into the boardroom with just a PowerPoint that includes endless calculations based on nothing more than another organisation's experience.

IT security investments are often extremely complex matters and at some point you need to weigh all the parameters and make a decision. Remember, not making a decision is still an active security policy, and one that can leave your organisation exposed.

No-one will ever be able to tell you the true cost of a breach until you have been through it, so let's stop wasting everyone's time and focus on the things that are going to make your business more productive.

Anders Pettersson is chief security officer at BlockMaster, where he has led design and marketing for five years, having been with the company since its inception. Pettersson has held roles in military intelligence and ran a media start-up working with Yahoo and Microsoft.