Australian enterprise will spend more than $3.5 billion on cyber security this year – 6 per cent more than it did last year. In 2019 the pedal will go to the metal with analyst Gartner predicting a 9.8 per cent spending surge deal with the scourge of cyber crime and reduce the risk of accidental data breach.
The advent of mandated data breach notification in Australia, which obliges businesses to alert the authorities, inform affected individuals and remedy any serious data breaches; along with the the General Data Protection Regulation which affects many organisations doing business in Europe or with Europeans has upped the cyber ante.
But what does business get for its money? That’s the question that more CFOs are asking according to Gartner research director Rob McMillan.
The technology analyst has polled business in the past about which C-suite executives are most engaged by matters digital, and the CFO has almost always ranked lowest. It seems that the cyber security challenge is shifting the dial.
The poster boy for CFO cyber engagement was Target’s CFO John Mulligan who led the US company’s response to a congressional inquiry about the 2013 data breach which exposed up to 70 million customers’ credit card and personal details. He detailed what the company had invested in to protect itself; but it was still breached.
Simply throwing money at the challenge won’t defuse the threat; funds need to be invested wisely – and spread across areas such as technology, education, and skills development.
Speaking at Gartner’s recent security symposium in Sydney McMillan outlined the key questions that CFOs were asking about their information systems security spending because; “The CFO is coming under the public spotlight for the performance of organisations where security incidents are having a material effect on financial performance.”
But he acknowledged that there was a problem with the lack of metrics in security which made it very hard to demonstrate to the CFO the value the business received for the investment it made in cyber security; and to evaluate the efficiency and effectiveness of a cyber security program.
McMillan advocated a balanced scorecard approach. He said that CFOs would focus on the financial quadrant of that scorecard explaining how a business would:
- use security to grow the business;
- be efficient in its security management;
- execute projects on time and on budget; and,
- manage suppliers cost effectively.
But he said CFOs could not expect a simple answer to the question of how much a data breach might cost an enterprise.
McMillan said some minor breaches had little impact where others could result in the shut down of business operations and raise the risk of class action. “You are not going to know what next week’s incident is going to look like. And there’s a pretty good chance it’s going to affect someone else as well. Those costs get really difficult to manage,” he said.
“A typical case might only cost $50,000-$100,000 – the worst case is half a billion dollars.”
A heat map, using two axes – the business impact versus likelihood of incident which depicted risk was a useful tool to identify potential risk that could then be used to determine how much should be allocated to addressing each risk, he said.