Security has come a long way over the past decade. It is still the red-headed step child of the business units but at least most organizations have some sort of CSO or CISO role in place and do a good job feigning support for security. Businesses that focus on squeaking by spending as little as possible on security, though, are bound to find out the hard way just how expensive a lack of security can be.
Organizations take security more seriously these days—thanks in large part to compliance mandates like SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard) and others. However, where the rubber meets the proverbial road security is still seen as a necessary expense to be minimized so that budget can be devoted to “more important” business functions that actually bring in revenue.
Compliance frameworks do an adequate job of elevating awareness of security concerns and even enforcing some sort of minimum baseline standard. The reality, though, is that being compliant and being secure are two different things. When the goal is to check the right boxes and pass a compliance audit rather than actually implementing effective security the organization still leaves itself exposed to significant risk.
What for? To try and save a few dollars? To spend as little as possible on security? Ask any company that has experienced a data breach or major malware attack and you will find fairly unanimous agreement that the cost of cleaning up after a security incident is significantly more expensive than the cost of implementing effective security measures proactively. After the security incident is mitigated these organizations generally end up investing in the security measures they should have in the first place.
One way to look at it is the way I view home improvement projects—for example replacing a water heater. The cost to hire someone may seem high, so I can try and do the project myself. Ultimately, though, I’m likely to screw it up resulting in significant water damage my house. In the end, I will still have to pay someone to come and do the job right, but now I also have the additional costs of my own time and effort messing it up and the extra cost to clean up my mess.
A recent study from the Ponemon Institute found that the average cost of a data breach is $3.8 million. A different Ponemon Institute report states that an unplanned data center outage costs nearly $8,000 per minute. The cost to recover from a security incident or data breach may vary significantly depending on the size of your organization, but I am confident that implementing effective security measures will cost dramatically less than paying for the consequences of not doing so.
Why not skip past all the mess in the middle and just go straight to the part where you invest the money to do the job right the first time?