Fortunately, there is information available today that can clearly show the value of spending money on security. One source is the study by PGP and the Ponemon Institute on the cost of customer notification — research that has been substantiated by experience. Some of the costs identified in the study: cost of a customer notification is $140 per customer; 25 percent of the customers who receive a customer notification letter will leave you; another 20 percent are highly likely to leave depending on their perception of your responsibility in the breach.
Add to that, litigation spend and reputational risk and you have a sizable cost that more than justifies the expense of security controls designed to prevent such an incident from happening.
ChoicePoint has been very open about the impacts of the breach they experienced in 2005. Published reports indicate that ChoicePoint's market capitalization dropped by $720 million immediately following the breach — though it recovered later. They also reported $11.5 million in charges directly related to the breach, not including fines and lawsuits.
There is more data out there that you can use. A conversation with Gartner revealed some interesting stats about information security spending as a percentage of IT spend. For a heavily regulated bank, it's nine to 12 percent depending on the level of maturity. For a manufacturing company it may be three percent. Other industries would fall in between. A Corporate Executive Board study by the Information Risk Executive Council says nine percent for financial services and gives some specific data for the amount that should be in the CISO's budget, as well as enterprise security spend. Forrester estimates a bank should be at 11 percent.
While certainly subject to variations depending on your industry, level of maturity, etc., these figures do give you a reasonable benchmark to measure against. If your peers are spending considerably more than you are, you should look to make sure you are meeting your due care obligations to protect the assets of the organization. Then again, the fact that you are providing quality security and spending less than your peers can be a good thing to bring to the attention of your boss.
30 SECONDS ON...
Cost of lost customers
If the loss of one customer amounts to $500, Cullinane estimates a breach of 100,000 customer names would cost the company $23.9 million, including the cost of mailing out letters and the subsequent loss of revenue.
Papa don't breach
If you think a 100,000-customer breach is unrealistic, the top 10 breaches of 2005 were all more than double that number. The largest breach was at the U.S. Department of Veterans Affairs: 28.6 million names exposed.
Factor in penalties
ChoicePoint agreed to pay a federal fine of $10 million for the mishandling of data and $5 million to compensate people who suffered from the breach. They also agreed to submit to external security audits for a period of 20 years.
Of 107 CFOs who completed PricewaterhouseCoopers' IT Effectiveness Management Barometer, released in late September, 76 percent say IT spending has positively impacted business.