Last Updated on June 4, 2020 by Satyendra
Data is the lifeblood of any organization, yet many CISOs still struggle to convey the financial risks associated with the loss or theft of that data.
Data breaches continue to dominate the headlines with alarming regularity and new the challenges arising from global shifts in work habits are creating a growing number of risks that organizations have to deal with.
These new challenges bring with them potentially crippling financial risks from the costs of implementing security solutions and incident response teams, to remediation and recovery from potential brand damages and compliance fines.
Complicating matters further is that, in many organizations, data is stored and is moving across a variety of complex infrastructure, both on-premise and in the cloud. How can organizations assess their risks and implement the appropriate security budgets if they cannot get a grip on exactly what sensitive data they have and where it is stored?
What is Infonomics?
Infonomics is a fairly new method of establishing liabilities and setting budgets for intangible assets with the same rigor and process applied to traditional ones. It is intended to ensure that intangible assets (such as data) get the same level of attention and budgets assigned to them as ones that traditionally have confused or been ignored/underestimated by members of the board.
Assess the Risks to Each Dataset and Implement Budgets Accordingly
There are numerous ways that security teams can monetize their data to get an understanding of the associated risks. Compliance regulations, including the GDPR, HIPAA, CCPA and others, categorize datasets in terms of their importance and the subsequent monetary value, such as personally identifiable information (PII), protected health information (PHI), payment card information (PCI) and more.
Large financial penalties are already being applied to those organizations that are involved in breaches containing these datasets. This should give an indication as to the importance and potential return on investment that adequate protection for data can provide.
CISOs need to work with the CDOs to ensure that they have assessed the risks posed to each dataset and have prioritized and planned the appropriate security controls to be implemented whilst also ensuring they are able to maintain business continuity. It’s important to understand which regulatory and industry standards are applied to the data they store and ensure the budgets are issued to adequately meet them.
Included within the risks that need to be assessed and have budgets applied to them are:
- Incident response investigations and remediations
- Potential non-compliance penalties
- Quick breach notification costs
- Potential damages to reputation that may result in loss of investor confidence, drop in share price or loss of confidence from consumers – all affecting the bottom line.
- Potential legal expenses and increases in cyber insurance premiums.
This is not an exhaustive list by any means.
Collaborate to Understand Liabilities and Apply Them to the Balance Sheet
Businesses simply must understand how threats to their data might affect the bottom line of the business, particularly in terms of margin and overall growth versus goals. Placing analysis of data liabilities within language that the rest of the board understands, such as a balance sheet, might make it easier to weigh the costs of data security against the potential rewards.
To do this properly, collaboration is required between the CISO, CIO, CDO and other members of the security team to provide a more holistic view of the security of the organization so that a more appropriate budget can be assigned.
The problem many teams face is that the threats posed to data are often intangible and difficult to quantify, so they are often unrecognized by accountancy standards. CFOs use a number of metrics to quantify liabilities and how they impact the bottom line, including:
- Gross Margin: It’s useful to understand the gross margin of a business against revenue forecasts to determine how much potential spend there might be for security solutions.
- Discounted Cash Flow: This is applied to intangible liabilities, such as threats to data, to determine the value of data assets over their lifetime.
- Security Budget: If the business must implement certain security requirements by law or due to incidents/standards, then this will set a minimum security budget (independent of the IT budget). Security budgets should be seen to directly affect the bottom line of businesses by preventing costly security incidents.
Collaboration, particularly between the CISO and the CDO, is helpful to balance the evaluation of risks and liabilities. The different functions of the two roles can help to ensure that investment in one area is not skewed. The wider that this collaboration occurs throughout the business, the more potential there is for an appropriate security budget to be fully understood and granted.
Risk Assessments Are Critical
It is absolutely crucial that you understand the monetary value of your data, and are able to then calculate what security measures need to be put in place and whether you have the budget required to meet it.
The lifetime value of data changes over time. A name and address might not be useful in a decade’s time, when it’s likely the name will no longer be associated to that address. It’s important you can calculate the lifetime value of your data and how it will change. Once you understand this, you can plot this against the potential liabilities that you have determined. Together these can be mapped against opex and capex to see if the cost of remediation is within budget. If not, budgets may need to be reassessed or other means of security solutions need to be implemented.
If you perform regular data risk analyses then you will be able to spot where you can reduce the potential security footstep by removing or deleting datasets that no longer provide risk.
How Lepide Helps Monetize Data and Reduce Risk
The Lepide Data Security Platform empowers CISOs, CIOs and CDOs by giving them an immediate and dynamic view of the monetary value of each dataset. The platform discovers and classifies datasets by compliance or industry standard to give you a clear picture of the volume of sensitive data in key storage platforms and the actual value that represents.
With this information at your fingertips, you can ensure that you are implementing the appropriate security controls, such as managing permissions and privileges, monitoring user behavior and alerting on threats and anomalies.