It's no secret that porous data security is a massive and costly problem for the United States economy and individual businesses.
In 2012, companies will lose an average 0.6 percent of revenue as a result of poor data security. By 2018, I estimate that figure could swell to 1.6 percent. That's $16 million annually for a $1 billion organization.*
Couple the cyber threat to our economy with the cyber threat to our national security, and it's no wonder the government is interested in policing the situation. A number of bills, such as the Stop Online Piracy Act (SOPA), Protect IP Act (PIPA), the Cybersecurity Act of 2012, and the Cyber Intelligence Sharing and Protection Act (CISPA), have been introduced by Congress in an effort to do something about the threat of cyber attacks and cyber crime. Perhaps expectedly, most of these have been met with a fair amount of controversy. The reality is that it could take a long time for any of these bills to complete the legislative process and become law – and perhaps even longer for any of these measures to have the desired effect – reducing data breaches.
Whether for or against any of these various cyber security bills, it's hard to overlook the fact that cyber crime and data theft are a massive and often self-created problem. Companies today do not do an adequate job of protecting their own data – from customer data to personally identifiable information to intellectual property – arguably their most valuable assets. Quite simply, Congress wouldn't even be considering bills like CISPA if companies were effectively securing their own data and intellectual property.
The problem of data security is clearly significant enough to have drawn the attention of the U.S. government. If it can be that crippling to the entire U.S. economy, imagine what it can do to one single private company.
So, the real question is, who is ultimately responsible to stop data loss? I'd argue that each business, not the government, is responsible for protecting its own data.
It's time for businesses to get serious about data security.
I once read that it is every executive officer's fiduciary responsibility to secure their information. This statement has always stuck with me, for it perfectly articulates the importance of information protection. There should be a line item on the agenda of every executive board meeting titled “Information Risk Management.”
Too often, I meet with IT security directors who understand that they need to do a better job tackling data security, but their voices fall on deaf ears with their internal executives. This is likely because security leaders often are forced to react, instead of lead, and are forced to derive budget and mindshare from fear, threats and exposures. Industry leaders often do not speak the same language as executives.
“Take a business approach to arguing for improved emphasis on data security.”
– Kevin Pouché, partner and chief operating officer, K logix
According to research firm Gartner, only five percent of IT budgets were allocated to security, which means companies spend less than .016 percent of total revenue on security. Now, budget alone won't solve the security problem, but with such an inadequate effort being paid to data security, it is no wonder the government sees a need to regulate the issue.
How can those in charge of IT security secure a higher budget? Take a business approach to arguing for improved emphasis on data security. By effectively communicating the dramatic impact data protection can have on business financials, IT leaders can gain greater mindshare and investment in data security, and businesses can become proactive rather than reactive when it comes to protecting data and defending themselves against cyber crime – for it is their own profits at stake.
The real impact data loss has on revenue – from 0.6 percent in 2012 to an estimated 0.77 percent in 2013 to 1.6 percent in 2018 – shows the escalating impact that protection (or lack thereof) has on bottom-line revenue – something business executives and corporate boards understand. By presenting the case for data security in this manner, CSOs underscore the importance of addressing data security thoroughly, this year and each year moving forward. These numbers fundamentally change the conversation IT has with executive teams, using hard numbers that executives understand and care about to argue for bigger investments and security awareness.
Once organizations have this revenue data to support a productive conversation, they can set realistic milestones and expected outcomes for data security efforts. These milestones can include understanding the value and risk of data, identifying potential threats and vulnerabilities, setting remediation plans and creating and implementing policies and procedures to make the organization more aware of security.
Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” If companies put the appropriate amount of emphasis on identifying and protecting their critical data, we'll have less of a need for the government to impose regulations as a safety net for data security.
Kevin Pouché is a partner and chief operating officer at K Logix, a Boston-based data security firm.
*The figures for this opinion article account for traditional data leakage resulting from standard online threats, social engineering, employee negligence and misuse and corporate espionage – both international and from U.S.-based competitors. Organizations that experience one-time massive data breaches, like the one Sony recently experienced, see much higher rates of revenue loss. We calculated these figures by comparing the U.S. GDP against the total number of anticipated data breaches times their expected cost