Recently, I read a piece directed at CFOs. The question was asked, “You may have a cyber breach that costs $25 million. Don’t you think it’s prudent to invest $1 million to prevent it?”
This is the state of the hyper-active consultants.
Let’s examine the question.
First, each of us needs to understand the potential cost of a breach in our organization. Not what others have reported, the extremes, but what applies in our specific facts and circumstances. We need a careful business impact analysis.
Then we need to understand the likelihood of a breach that would have a significant effect. It’s not the likelihood of a breach that we need to be concerned with. It’s the likelihood of a breach with an unacceptable impact on the business.
As I explained with examples in Making Business Sense of Technology Risk, a breach can have a small effect, a moderate effect, or a significant one. There is a range of potential effects, from graffiti on a web site to the loss of essential intellectual property. Each point in that range has its own likelihood.
While we may be concerned with multiple breaches of low impact, most of us are focused on the likelihood of a breach that would disrupt or cost us more than we can tolerate – making it more difficult to achieve our enterprise objectives.
XX
Fortunately, we…
