We had a lively round table debate about “how much security is enough?” during Networking Field Day 11. It’s certainly not a pure networking question which some in the room debated is no longer, or perhaps has never been, the network engineer’s responsibility, but a large number of networking professionals these days are still charged with keeping the digital landscape clear of threats within their employers networks.
The argument put forth was essentially that it is cheaper for companies to take the data breach hit than feed the ever growing IT security budgets because there are no penalties or little downsides for the many business that are involved in what has become a daily occurrence of customer and/or credit card data theft from a resulting data breach. Greg suggests that companies might be better suited investing in a good public relations firm to help manage any public crisis that might arise. I wouldn’t agree that there aren’t any downsides although I would reluctantly agree that large businesses appear to be emerging relatively unscathed from these incidents. The emergence of data breach insurance, also known as cyber liability insurance, gives additional credence that large business look at security and data breaches as a simple math problems.
The formula might look like this;
( (Revenue Loss + Breach Related Costs) – Breach Insurance) < IT Security Spend
In short the financial penalty for losing your customer data doesn’t justify the IT security spend needed to actually sure the the data. So it’s cheaper for large businesses to essentially take the financial hit for a data breach rather than spend the considerable resources need to secure the data, application or solution.
There’s certainly validity to the overall point that there’s little motivation for large businesses to spend significant resources on overall IT security. In an article entitled, “Why companies have little incentive to invest in cybersecurity” by Benjamin Dean, Benjamin provides numerous facts and supporting evidence to suggest that there’s little motivation for large businesses to heavily invest in protecting customer information. Benjamin provides data from both the Target and Home Depot breaches that supports the argument and ultimately ponders if additional governmental oversight will be needed to close the loop.
I would counter with this point, when has any large business spent any more than it absolutely needed on anything. I can’t tell you how often I’ve stood in front of a budget committee and been told that I’ll just need to make do with the capital or operating funds that I have available no matter the strategic importance to the business operation or ROI.
What do you think?
Is additional government oversight needed to get large business to take more responsibility?
Cheers!
Image Credit: Aap Deluxe
Frank Sweetser says
Data breach insurance seems like it could be a very useful piece of the puzzle, but I would argue it focuses only on the confidentiality piece of the security tripod, leaving out availability and integrity.
How will that breach insurance help you when a large scale DDoS takes out a critical piece of your online store for 12 hours on cyber Monday? Or recover when cryotolocker nails your CRM and accounts payable databases? Backup tapes aren’t as sexy as a 100Gb next gen firewall/IPS, but only one of them will defeat malicious encryption!
I would strongly argue that putting security in it’s own box is a large part of the problem, because it will never be something that is a true value add. Instead, it should be treated as an attitude of risk mitigation that permeates the entire organization. That way, it’s value can be much more closely tied to that of the data and business processes it’s protecting, and more easily sized appropriately based on the real business priorities.
Michael McNamara says
Thanks for the comment Frank!
I would agree that security needs to be thought of often and early… too often it’s an after thought. If you design with security in mind you’re likely to be much more successful than if security is just something to bolt on once you’ve completed the initial coding or design.
Cheers!