What’s the value in continually investing in an IT security budget?

Picture this: Your business requires the medical and payment data of three million people, one-third of whom are Medicare recipients. Because of this, you have a big red bullseye painted on your infrastructure and all sorts of seedy characters want access to that information, either for themselves or to sell in the dark underbelly of the internet. “Don’t worry,” you say, “we’re protecting that data.” You have a security infrastructure in place, so you figure everything is fine. But how confident are you that the data will NEVER be compromised?

The answer probably starts with something like “We have spent –” or “We have never had a problem with –.” There have been no breaches (to your knowledge) and no real problems brought to your attention.  You’ve bought silence. Is it necessary to continually make this investment?

In the back of your mind, you have a voice telling you that yes, you do need to continually focus on cybersecurity. You know that in the security game, the status quo never stays the same. Cybersecurity is an arms race and it is constantly evolving. Gone are the days when “hacker” meant some kid playing on a computer in his mom’s basement. Those kids have grown up to be fully fledged criminal organizations with sophisticated equipment and understanding of the latest technology and exploits. This means companies have to be on the forefront of security, too.

Hackers only need to succeed once when trying to access your data. Once someone is in, they can alter, destroy, or sell the data (or access to it) to someone with malicious intent.  According to Art Villiland, HP’s senior vice president and general manager of enterprise security, breaches on average go undetected for 243 days. By then, how much of your data could leave undetected?  A lot –at 5 megabits per second over 243 days, 12.8 terabytes could be transferred.

Your problem is how to convey this to your leadership. They will almost certainly have objections to your sell, with these three being the most common:

• We don’t understand the business value
• We already spend a certain amount on IT security—isn’t it enough?
• We haven’t had any serious security events. Why change what we spend?

The best way to answer these objections is to quantify as much as you can. The best way for people to see the value of what they are investing in is to show them the numbers—literally. Respond with these three points:

• You’ve already valued your data. Compare your security expenditure as a percentage of the market value of the data, the potential liability, and legal costs associated with loss of that data.
• Relate your security expenses as a percentage of revenue and compare that to other organizations in your industry. Are you on par with the rest of the group?
• Be transparent with the leadership. How many attempts you have mitigated each quarter? Explain that you’ve bought silence when it comes to your security, but that doesn’t mean the threats have evaporated. Show your leadership that the threats are there, real, and changing.

In its annual Boardroom Cyber Watch 2014 study, global cyber security provider and CREST member IT Governance surveyed 240 senior IT decision makers and found that many companies are blind to data breaches and have little to no contact on these matters with board members. It’s time to reverse that trend and make board members a part of your security conversation. It’s hard to quantify ROI when talking about something that might not have happened yet, but the numbers speak for themselves when you can report the value of your investment by volume of incidents blocked and mitigated that quarter.

Now that you’re fully in the arms race, we’ll talk later about how to calculate your data liability.