Summary Bullets:
- Companies aren’t investing strategically in security because nobody really understands the full cost of cybercrime and it’s extremely difficult to measure risk accurately.
- Getting investors to prod companies to take security more seriously could change that paradigm.
Here’s a thought: Why isn’t security considered a strategic investment? And could the thinking evolve over the next few years to come around to that conclusion? After all, we continually hear about how security has become a board level issue. And CISOs are getting more airtime with the board than ever before. I think there are two main stumbling blocks to getting there, and neither is easy to overcome.
First, it’s impossible to measure the true cost of cybercrime. Last month the Center for Strategic and International Studies released a report sponsored by Intel/McAfee that pegged the global cost of cybercrime at anywhere between $375 billion to $575 billion. Of that loss, $200 billion was attributed to the U.S., China, Japan and Germany. I personally think that those figures greatly under estimate the total economic losses that result from cybercrime because they don’t take into account all the factors that make up a loss, and because a lot of breaches in which intellectual property or other valuable data are stolen are never reported.
What’s more important however, is the fact that the losses keep escalating year after year, and all of the experts agree on that. The other hurdle keeping organizations from strategically investing in cybersecurity is the Herculean effort it takes to try to measure cyber risk. In the grand scheme of things, the losses in the U.S. amount to less than 1% of gross domestic product (It’s actually 0.64%). From that perspective it’s a drop in the bucket – a small cost of doing business. Yeah, tell that to Target’s investors once its losses are finally tallied up. By some estimates, after all the lawsuits are done that figure will likely top $1 billion. Or ask the founders of companies that went out of business because of a cyberheist whether they thought they had spent enough on security.
But while difficult, it is not impossible to measure cyber risks, and there are consultants available to help with the task. One promising sign on the horizon comes from infamous private equity company KKR. Last year it started to evaluate the cyber risks of companies in its portfolio, enlisting the help of BitSight Technologies to analyze the security effectiveness of KKR-owned companies, and then working with security company Stroz Friedberg to prioritize the risk to those entities. I think this kind of attention from investors could make all the difference in getting at least publicly held companies to invest strategically in security. I like the suggestion that Jason Healey made in his column in U.S. News and World Report in May. Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, posited that if famed investor Warren Buffett were to endorse the White House’s Cybersecurity Framework, every other investor and corporate board director would take notice.
IT Connection 