Why Security & Profitability Go Hand-In-Hand

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/why-security-and-profitability-go-hand-in-hand/a/d-id/1252679

The threat landscape has evolved tremendously during the past several
years, yet many businesses’ priority lists have stayed the same. Business
leaders in executive offices are determined to get revenue-generating
projects on the market first, and then, usually a year later, they worry
about security.

According to Trustwave’s recently released "2014 Security Pressures
Report," 79 percent of respondents said they felt pressured in 2013 to roll
out IT projects despite concerns that the projects were not security-ready.
The survey, which polled more than 800 full-time global IT professionals
about the information security pressures they face, revealed that, too
often, security is an afterthought in the product development process --
though that’s not necessarily intentional.

According to the report, 85 percent of IT pros say a bigger IT security
team would reduce pressures and bolster job effectiveness. But for many
businesses, security is not a core competency, and in-house IT teams say
they do not have the staffing or expertise to build and manage a security
strategy that effectively covers all potential attack vectors. As a result,
the internal teams feel overwhelmed and uncomfortable working on projects
within their wheelhouse while also protecting company data, according to
the survey.

> From my personal observations working with businesses of all sizes, the
problem stems in part from the basic architecture of the enterprise IT
team, which is typically segmented into groups (application, server,
infrastructure, desktop)  -- none of which is directly responsible for
security. If there is a security group, it is usually off to the side and
relegated to a secondary role dealing with issues after-the-fact, when
other groups have already rolled out their projects.

If that isn’t enough to convince you of the need for a greater investment
in security, consider a recent Gartner survey of more than 2,300 CIOs
reported earlier this year in The Wall Street Journal. The CIOs ranked
security No. 8 on a list of strategic priorities, compared to 10 years ago,
when security was the No. 1 concern. Research from Forrester, meanwhile,
shows that 36 percent of breaches stem from inadvertent misuse of data by
employees, a problem that can also clearly benefit from investments in user
education.

Follow the money
There’s also a downside on the balance sheet of security ROI, stemming from
real tangible costs that can add up quickly in the wake of a data breach.
If your business handles payment card information, for example, you may
need to pay a fine for non-compliance with the Payment Card Industry Data
Security Standard (PCI-DSS), a requirement that a business must meet if it
stores, processes, or transmits payment card data. Fines range from a few
thousand to hundreds of thousands of dollars depending on how many payment
cards were determined to be at risk of compromise. A compromised business
must also pay for card replacements and fraud reimbursement, meaning if the
criminals made transactions using the stolen payment cards, the onus is on
the victim organization to pay back that money to the card brands.
Businesses must also pay for a post-breach forensics investigation and, in
many cases, legal counsel as well.

Coupled with the tangible costs, there are also intangible costs that could
potentially cripple a business. Depending on the nature of the breach, you
may have to temporarily halt operations to clean up the damage, which could
mean more lost revenue. Some companies may need to scale back on
operations, which would mean slower operations and another potential
decrease in cashflow. Customers may also lose faith in the victim
organization, including long-time loyal customers who have regularly pumped
dollars into company coffers for years. If the business is public, a loss
of market share could cause revenues to drop.

There is no silver bullet when it comes to securing valuable corporate
information. But as businesses connect just about everything to the
Internet, it’s never been more critical to put security on the front line
to protect the bottom line -- and roll out IT projects only when they are
market-ready and secure.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!