Quick: Where do you go to find the cost-per-record of a data breach? Reports from the Ponemon Institute? The annual Verizon Data Breach Investigations Report? How about the NetDiligence Cyber Claims Study? These are all credible and popular sources for breach cost benchmarking, but they give drastically different answers to the question. The Verizon report shows pennies per record for breaches, while Ponemon has shown hundreds of dollars per record. NetDiligence breaks down the analysis with a smaller sample of large and small organizations to explain the difference.
Now imagine that you bring an executive Ponemon’s recent estimate of $245 per record and you hold four million consumer records. “Are you telling me a breach would cost us a billion dollars?” the executive would ask. “Who pays a billion dollars for a breach?”
What if you brought the Verizon report’s number of $.58 per record. The executive would ask, “A cyber insurance policy for $2.5 million means we don’t need to spend on cybersecurity!”
The numbers you have at our disposal vary so greatly because the methods that analysis use vary so greatly. Ponemon typically looks at smaller organizations, while Verizon looks at organizations of all sizes. NetDiligence looks at organizations whose insurance claims are confidentially offered to their report.
These discrepancies are not limited to breach costs. They are also found in studies that try to establish benchmarks for cybersecurity budgets. Boston Consulting Group recently found that cybersecurity budget benchmarking as a percentage of the IT budget varied between PwC’s 3.7% estimate, Gartner’s 5.9% and Forrester’s 10%.
This is why we get lost while looking for benchmarks that answer our executives’ questions. But we don’t have to be prisoners of this dilemma if we think about what executive are actually asking.
“We find that executives are really asking, ‘what is expected of us?’ and they seek those answers by looking for common practices,” says Jim Mirochnik, CEO of HALOCK. “But do you really want to set your cybersecurity metrics to your peers if your peers are getting hacked?”
Chris Cronin, partner at HALOCK and the developer of the DoCRA (Duty of Care Risk Analysis) Standard answers the question differently. “We need to manage security so that everyone will be OK. This means reducing the likelihood of harm to others using controls that are acceptably burdensome to us.”
The construct in law for “reasonable” security is to use safeguards that are not more burdensome than the risks they are meant to reduce. Use a cure that is not worse than the disease. “Analyze the risks you are trying to prevent, then analyze the risks to you and others that your proposed safeguards pose. Your risks can include your costs, lost efficiency, lost benefit to customers … any burden on you or your value that the safeguard creates. If those burdens are not greater than the risks you pose, then prioritize them into annual budgets, and there’s your metric.”
Cybersecurity benchmarks do not provide reliable numbers. Moreover, they do not answer the question executives are actually asking.