There is an age-old misconception that complying with a regulatory requirement such as Sarbanes-Oxley, HIPAA, or even industry requirements like PCI (Payment Card Industry) can make a company “secure.” Information security professionals know that compliance does not equal security. Non-information security executives know there are costs associated with compliance, and they can accept those. But why do we need to do anything more than is required for compliance? Additional spending on information security (InfoSec) seems to be a “luxury”. If it is not in the regulation, why do we need to do it?
Unfortunately, this misconception is the cause of many headaches and sleepless nights for the Chief Information Security Officer (CISO) and others responsible for InfoSec programs. In most organizations, investments are typically evaluated based on return on investment (ROI). This usually means that there is a quantifiable benefit for expending resources on any given “need.” This need and benefit are often documented in a business case for funding approval.
Quantifiable is the operative word here because the InfoSec “benefit” is a challenge to “quantify.” Applying resources to InfoSec is a form of cost avoidance – it generally does not lead to a clearly quantifiable ROI. It is easy to identify issues when a lack of InfoSec controls results in a quantifiable loss. Barely a day goes by without some large-scale breach, or some other type of security incident occurring that is splashed across the headlines. But when “InfoSec” is actually working effectively you are hardly aware it is there. In other words, if a company’s intellectual property, electronically protected health information (ePHI), or financial data has not been stolen, then it is business as usual. Only when an incident occurs is the InfoSec program highlighted, and obviously in a negative light. So how does the CISO quantify the value of the InfoSec program?
Quantifying business value can be achieved in several ways. Three potential options include:
- Security is no longer a competitive advantage, but rather a business necessity. This perspective is more applicable today than ever before. Previously, a company could go to market and offer services or products where security was not much of a concern or was never even thought of. However, in today’s connected and SaaS-driven world, security is necessary. For example, a company growing from offering business to consumer services (B2C) pivoting to business to business (B2B) or enterprise clients face new hurdles. No longer are their customers’ individuals, but potentially businesses who have InfoSec teams who will have an input into the acceptance of their products or services by their own company, based upon how secure their data or their customer’s data will be. Given similar options, the B2B entity would lean towards a provider that can exhibit how they are security conscious and have the appropriate controls in place to protect digital data vs a scrappy start-up who may be able to offer a comparative service, but has a non-existent or immature InfoSec program, and cannot demonstrate how they can protect their client’s data.
- Security, if aligned properly, can enable business objectives. Business enablement should be a priority for InfoSec. Security should not exist for the sake of being secure but should enable the business to provide products or services securely to bring economic value. For example, being able to sign a Business Associate Agreement (BAA) for a medical billing company is absolutely essential for the business. In another example, clinics that can transmit patient data securely to a medical center have obvious advantages in delivering their services in comparison to faxing patient records.
- Security benefits can be quantified by what could have gone wrong, but didn’t, as we were able to mitigate the risk. An example of this can be derived from personal experience when I was responsible for the data loss protection (DLP) program for a large healthcare entity. The DLP program essentially mitigated the risk of leakage of ePHI or financial information. When it was operating well, it seemed as if the program provided zero value. Nothing was happening so it seemed as if the program was not worth funding. Instead, the opposite perspective needs to be considered. What if the DLP program was not in place? What if we sent ePHI or credit card data unprotected/unencrypted over the internet? What risks were we exposing ourselves to? Could a nefarious actor intercept those messages and cause a breach or potentially exploit the financial information? According to the Ponemon Institute,” …the average cost per lost or stolen record was $146 across all data breaches, those containing customer PII cost businesses $150 per compromised record.1” given this quantified cost, imagine losing 1 million records? That could cost the company $146-150M in breach costs. Compare the cost of a DLP program upgrade vs. the potential loss is one way to demonstrate an ROI.
In conclusion, complying with statutory or industry requirements is a great start in a Company’s Information Security journey. However, compliance should be seen as a baseline requirement, and only with continued maturity can Information Security be a true partner to the business.