Why managing information security as a business risk is critical, part 1: Financial impact

Part I: Direct Financial Impact

One the most significant challenges facing IT professionals today is a persistent siloed mentality that keeps them separate from critical organizational business initiatives like risk management. The silo problem is particularly prevalent as it relates to information security; a recent study from defense contractor Raytheon of 1,006 of technology executives, for example, found that 66 percent do not believe senior leaders in their organization view IT security as a strategic priority.

But the issue cuts both ways. In some instances, the information security professionals may be hesitant to share information and collaborate with other departments for any number of reasons, from concerns about time constraints to fears about lack of employee buy-in. In this three-part series, we will examine why it is so critical for IT security professionals and other stakeholders to change their collective mindsets and begin to think about security operations management as a crucial business risk, rather than a strictly technological issue.

Getting various departments—and the C-suite as well — working together is crucial to forming a comprehensive and effective security strategy. Collaboration and information sharing between departments makes end-user training easier and continuous dialogue between the SOC and key stakeholders increases the likelihood that the organization will commit financial resources to adopting powerful automated security solutions.

But the reality for CISOs and others in the SOC is that when a breach occurs, they will ultimately be held responsible. In fact, the pressure on CISOs is so great that it has actually given way to a trend of these professionals leaving the corporate world for the vendor side of the business. And nothing puts a security leader in hot water faster than a security issue that directly costs the company money.

The clearest example of how an information security event impacts a company fiscally is outright theft. Until recently, banks and other financial institutions were thought to be best prepared to fend off intrusions, but that illusion has been shattered. Some of the high-profile news stories recently have focused on cybercriminals swiping sensitive customer information, but some IT security professionals may be unaware that hackers have found ways to directly steal millions from banks using malicious software. The attacks were carried out against more than 100 banks in 30 countries and it is a virtual certainty that many CISOs and other security professionals at those institutions will suffer at least a damaged reputation and at worst, termination.

E-commerce is another example. At this point, nearly everybody familiar with information security or e-commerce understands that an intrusion that causes website downtime negatively impacts revenue. The surprise, particularly for large enterprises, may be exactly just how much money can be lost in a short amount of time. For instance, Mike Azevedo, CEO of database solutions provider Clustrix, was quoted as saying website downtime can cost e-commerce organizations a staggering $500,000 per hour. At that rate, even one data breach could impact a company’s quarterly numbers and put a CISO’s job in serious jeopardy.

Unfortunately, direct financial loss is not the only way organizations and their CISOs can be hurt by cyberattacks. Check back next week for Part 2 of this series where we examine how companies and IT security professionals can have their reputations harmed when a breach occurs.