The burden of proof always falls upon the CIO, CISO, InfoSec Specialists, and IT Service Providers in justifying the costs for cybersecurity. Or maybe they delegate the cost justification further down the ladder to you. In any case, that cost calculation needs to be done with both current operational data, and current valuation of breach ‘aftermath’. Failure to look at all the cost ramifications will make your cybersecurity budget VERY SHORT. Resulting in a lack of investment, and higher chance of breach. Which we can call the RONI – Return On Non-Investment.
Identifying the operational data may seem like the easiest part, but it does require a value to be put on that data. That alone may be tricky, because you have to educate yourself in what is valuable data on the black market and/or to a ransom hijacker. This may include: Employee data, medical records, proprietary data, transaction info, client lists, or maybe just your emails. For process and manufacturing facilities, including utilities and infrastructure, it means protecting the process from being hijacked, prevention of loss of life, AND all the other stuff above.
Research Examines Cost of Stolen Data, Underground Service, (written by Danielle Walker, published by SCMagazine.com) provides good insight into the value of data. Which in turn will give you an idea of the cybersecurity needed to secure your network from breach.
Regarding breach aftermath, there are plenty of sources that show what happens after a breach, from recovery to sanctions and lawsuits. You cannot assume your cybersecurity cost calculation is complete with only your operational downtime and repair of resources summed up. That’s just the front end of recovery. Search articles within your professional groups and organizations. You can find them via LinkedIn, through your certification organizations, or do a basic web search.
Another great article, Calculating the Colossal Cost of a Data Breach, (written by Mary A. Chaput, published by CFO.com), highlights a TON of extra costs incurred from recent data breaches. I know this can be a very speculative part of your cost justification. But, if you do not take time to put a value on breach aftermath, you will surely reap the rewards of RONI. Which could mean being tagged as the person responsible for the breach (however unfair that is), and losing your job!
There are lessons to be learned from all the past breaches. And one of the BIG lessons is not putting a bigger value on post breach losses. We all understand the dilemma: ‘Given my total company value is $1 million, I cannot justify spending $1 million because my risk calculation is $10 million.” But you still need to add in the cost to see the importance, and create change in your cybersecurity strategy.