The title of this post might raise a few eyebrows—after all, given the last few years of high-profile breaches at Target, Home Depot, Anthem, Premera, Sony Pictures, and elsewhere, who needs a business case for Information Security? Good InfoSec is table stakes at most organizations, right?
Yet even if InfoSec is table stakes (i.e. “Do it, or you go to jail”), the decision to address it is still a business decision that needs to balance risk and reward, cost and benefit. So being able to articulate what the organization gets for doing good InfoSec beyond just “the law says so” is important—if you want to be more than just a policeman and become a valued strategic partner to your business stakeholders.
And while a business case for InfoSec will look different at every organization, there are four broad areas that a strong InfoSec business case can impact at practically any firm:
- Application support
- Cyber security insurance
Let’s take a look at each of these areas.
Good InfoSec leads to lower storage volumes overall, particularly because it influences how an organization manages its corporate data throughout its lifecycle, from creation to disposition. When an organization can effectively manage data from a lifecycle perspective, it retains lower volumes of unneeded data—i.e. data that’s past its legal or operational life. Doing so allows an organization to reduce the volume of live data on storage appliances and to reduce its overall storage footprint.
But even if an organization is leery of purging data, e.g. because Legal has a “keep-everything-because-it-might-exonerate-us” stance, better information life cycle management allows an organization to tier data more effectively, moving less-used data off of Tier 1, high-availability (very expensive) storage to Tier 2 or Tier 3, less-available (much less expensive) storage.
Best case, an organization outsources its data center to a vendor, so when its storage volume goes down or the mix of Tier 1, 2, and 3 storage shifts down, so do its costs. But even if an organization rents or owns its storage outright, better information lifecycle management can impact costs positively, either because the company can turn in storage for money back or reduce the amount it needs to spend going forward by reducing its future volume growth.
Application Support Costs
At most organizations, there are 1.5 to 3 applications per employee—at some firms, the number can be closer to 5 or 6. This bloated portfolio typically consist of a tangled, unmanaged mess of up-to-date, cutting-edge, commercial-off-the-shelf (COTS) products, out-of-date COTS products, and home-grown systems of dubious provenance. And the vast majority of these applications have no specs associated with them, so the original requirements they were meant to meet are unknown; the logic they follow is undocumented; and what’s needed to maintain them, integrate them, or replace them is either tribal knowledge (best case) or wholly unknown to the organization (worst case).
From what I’ve seen, a significant portion of these applications are solely fulfilling a viewer function, i.e. they’re kept alive simply to allow end users access to their data, but there’s no longer any need for the functionality (workflow, analysis, etc.) they can provide.
Typically, the costs and risks to the organization of maintaining out-of-date applications are transparent, but that doesn’t make them any less real. High software maintenance costs, higher staffing levels for support, and the security and legal risks posed by these unneeded applications can run into the millions or tens of millions of dollars annually.
Good InfoSec allows an organization to better understand the systems it has and the data those systems manage, which enables it to make rational, risk- and value-based decisions about which to invest in, which to maintain, and which to sunset. This typically leads not only to substantial year-over-year savings, but improved end-user satisfaction, because the number of applications the average end user needs to use to do their job is reduced.
Cyber Security Insurance
Cyber security insurance is a contentious subject. Calling cyber security insurers snake oil salesmen is perhaps going too far, but, being more generous, suffice it to say that the domain is much more nebulous than other forms of corporate insurance when it comes to things like how risk is quantified for a given firm, how premiums are calculated, how claims are adjudicated, and how disputes are settled.
Despite all that uncertainty in these four areas, two things are somewhat certain. First, the less risky data a firm can demonstrate it has, the lower its premiums will be. For example, having 30 million sensitive data elements (PHI, PCI, PII) will cost more than having 15 million. Whether this means that a firm that reduces its sensitive data footprint while insured will see lower (versus simply flat) premiums year over year is debatable. But the costs will certainly be lower than if it left this sensitive data unaddressed.
Second, in the case of a breach that leads to a claim, if the firm hasn’t been following its own policies (e.g. its retention schedule says it purges billing data after 7 years, but it in fact retains it indefinitely), it’s up for grabs whether the insurers will even pay the claim.
Better InfoSec leads to better information life cycle management, which means a firm will more frequently be in compliance with its own policies and have lower volumes of sensitive data to be exposed in the event of a claim—both of which will tend to decrease cyber insurance costs.
Leaving aside the negative consequences from a poor audit result, audits are expensive and time-consuming no matter what the outcome. When data is difficult to find or uncertain as to its provenance and integrity (or both), audits take longer and are more expensive to conduct. Not to mention the unfavorable impression difficulties in gathering information make on the auditors.
Better InfoSec leads to a better knowledge of where key corporate data lives and makes it easier to produce it, as well as making a firm (and its auditors) more confident that the data produced is the right data.
All of this means less time to conduct the audit—both on the auditor’s part and the organization’s FTEs.
The Final Word
Making a strong business case is one-third science and two-thirds art, so a single blog post could never do it justice. But hopefully this post has given you insight into the direction you need to go to make a stronger InfoSec business case, along with some ideas for what you’ll find when you get there.