Does Discussing IT Security Spending Have to be Extremist or Establishment?
Even a casual observer of this year’s presidential election will come to the conclusion that being a political insider or part of the “establishment” is now a bad thing. But there is an unspoken undertone in this rush to outsider status. Candidates not only declare themselves to be anti-establishment, but the most popular jockey for extreme positions away from the center – whether that’s offering more free benefits than the other candidate or deliberately polarizing constituents depending on ethnicity or religion.
If polls and media reports tell us the future, establishment centrists seem to be a dying breed, leaving voters with a choice between extremes.
Choices in IT security spending can often feel the same way. What is the right level of funding for the risks you face? Should you assume that the prevention is more costly than the cure and spend little? Or if you (or a competitor) have been breached, should you pour resources into IT security? Let’s explore the extreme and established responses to these questions.
What is the board’s appetite for risk?
To determine the right level of funding for the risks you face, one must start at the top. What is your board’s tolerance for loss? At one extreme is the example of Sony Pictures, who succumbed to a major attack in 2014. The IT security budget response was underwhelming.
While the initial investigation and remediation costs were reported at $15 million in the third quarter FY15 earnings report, that same report said that “Sony believes that the impact of the cyberattack on its consolidated results for the fiscal year ending March 31, 2015 will not be material.” In other words, compared to the size of the rest of the business - $68.5 billion in revenue in FY15 - they’re not worried, so it can be inferred that the acceptance of risk is high.
At the other extreme, Home Depot said in a statement that the impact of dealing with its 2014 breach could, “have a material adverse effect on the company’s financial results in fiscal 2015 and/or future periods.” Estimates of Home Depot’s costs come in around $62 million against revenue of $83 billion in FY15.
So why the difference?
It would be easy to point to Home Depot’s larger costs, but for Sony and Home Depot, both were less than 0.1% of revenue. The difference is not found in the cost of remediation, but rather the impact on future revenue, which is foremost on the board’s mind. With Home Depot, or in the case of fellow retailer Target, the impact on fickle consumers inconvenienced by the loss of their credit card information can influence business towards a competitor. Legal and compliance fees can be significant as well.
Sony’s losses primarily centered around blunt commentary about movie stars and making the choice to pull “The Interview” from theaters. But “The Interview” wound up making money in syndication from all the publicity, and movie stars are reluctant to sue the studio, as they won’t bite the hand that feeds them.
Security spending has to be weighed against the potential costs for loss, and in the minds of many board members, spending less is worth the risk.
Establishing a budget that balances the extremes
It’s easy to lose sight of balancing costs with risk when responding to an incident. But if you are looking for a way to establish a budget that balances the extremes, the case has to be made on calculated risk compared to the risk tolerance of the board.
There are any number of scholarly resources and models for risk calculation available, but the general approach is:
• Identify the valuable information your organization maintains
• Identify the threats that would find that information valuable
• Assign a probability that the threats will seek out your information
• Identify vulnerabilities that can be exploited by those threats
• Estimate the impact of the data loss to those threats
Don’t forget that impact is more than just the cost of remediation - reputation loss, legal costs and regulatory fines play a role as well. Your board may be willing to accept the risk, but make sure they have all the information for the decision.
As in politics, there are some numbers that are helpful, mandates to be met, and judgment calls to make when discussing an IT security budget that balances the extremes. Returning to the basics of truly understanding risk and making informed decisions is the best way forward.