I remember reading an article in CIO Magazine that claimed an auditor told Jason Spaltro, executive director of information security at Sony Pictures Entertainment, “If you were a bank, you’d be out of business.” The article, by Allan Holmes, was entitled Your Guide To Good-Enough Compliance. It sought to explain why CIOs and CISOs are so overwhelmed by the demands of their jobs that they did not have the time to invest in reconfiguring electronic systems and processes to meet regulatory requirements.
In the article, Jason Spaltro of Sony was quoted as replying: “it’s a valid business decision to accept the risk [of a security breach] I will not invest $10 million to avoid a possible $1 million loss.” These comments would come back to haunt Spaltro in November 2014 when Sony was breached by a criminal group. The total cost of the breach is not yet known but estimates vary between $150 and $300 million.
According to the 2014 US State of Cybercrime Survey, “While organizations are more concerned about cyber threats, our research finds they have done very little to strategically invest in cybersecurity and ensure that it is aligned with the overall business strategy.” Well that’s easy for them to say: It is very difficult to put a monetary figure on the cost of a data breach because every business is unique, and every breach impacts different businesses in different ways. Let’s face it, security measures don’t come cheap, and justifying the return on investment – the return on problems that don’t occur – can be a hard sell to senior executives. Even trying to estimate the cost of a future breach can be tough, not least due to the intangible values of reputation, damage to the brand, loss of current and future customers, and reductions in the share price.
It also does not help that IT Security budgets are often lumped in with a company’s IT spend. If the CISO is subordinate to the CIO, it is quite likely that next year’s proposed IT projects will be compared to the proposed IT Security projects without effective reference to the risk factors, thus the latter projects will lose out.
An example of a good balance between the cost of protection and the risk of a data breach is in the handling of emails. There are several ways to secure emails: they can be encrypted while stored in the server (data center), encrypted while stored in individual users’ computers, or encrypted while in transit across the public internet. All three are possible to implement, however the former two are cost prohibitive. While it is relatively inexpensive to encrypt and store emails, it requires enormous computing power to search for specific topics and phrases. That is, it would be extremely expensive to find a specific email you sent to a client six months ago because every email on the server, or computer drive, would need to be decrypted to see if it was the one being searched for.
The good balance would be to encrypt emails while in transit, and store them behind an effective firewall in clear text. This solution typically costs less to implement than the first two solutions, but saves enormously in later eDiscovery costs. It also secures emails when they are at their most vulnerable – as they transit the public Internet between senders and recipients.
Zix has a number of email encryption solutions that can help you balance your security spending with the real risks to your organization’s security. To learn more, click here.