It is clear, from market activity and recent surveys, that the two highest profile threats driving boards to pay real attention to information security today are punitive regulatory action for non-compliance and terrorist activity. If boards were to do effective risk assessments, however, they might find that these threats both fall into the ‘high impact, low probability’ category. Yes, it’s good news that the Director General of MI5 is encouraging business to ‘broaden [its] thinking about security issues.’ It’s good news that product vendors are getting senior management attention with slogans such as “Pay lip service to compliance and kiss your job goodbye”.
However, it’s the more boring, mundane threats that are really costing businesses – both financially and reputationally. While there is no standard methodology for estimating the cost of an information security incident, survey after survey reports businesses admitting to their occurrence and, in the case of the authoritative CSI/FBI survey (carried out amongst the CSI’s supposedly security conscious member firms), admitting to an average cost per incident of nearly $2 million – and this excluding the cost of any reputational damage.
This, to any business, is real money – and the cost of avoiding these losses is usually less than the cost of the losses themselves. Boards would be better advised – and shareholders better served – if they implemented comprehensive risk assessment methodologies that if they simply responded to high profile newspaper and government scare mongering.