StorefrontBacktalk

Budgeting For A Data Breach

Written by Walter Conway

March 31st, 2010

It has been said that there are two kinds of systems in this world: Those that have been breached, and those that are going to be breached.

If this premise is true, asks PCI Columnist Walt Conway, doesn't it make sense for CIOs to budget for a serious data breach or similar contingency?

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Already a Subscriber? Login Here

Username
Password
Login
Forgot Your Password? \| Site License

Posted in IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud

6 Comments | Read Budgeting For A Data Breach

Dave CISA/M/SP Says:
April 1st, 2010 at 1:35 pm
Budgets are operational exercises. Breach plans are contingencies. So do you budget for a breach? Not unless you’re forecasting one during the fiscal period. And the whole purpose of having an information security program is to plan to NOT have one (at least that’s how WE do it – your mileage may vary).

Do you PLAN for handling a breach and it’s aftermath, absolutely. Do you vet your plan with simulations an tabletops? Yep. Do you calculate potential costs? Certainly. There are numerous data points on compromise available from credible sources. QSAs however are not one of them. Not even if they’re QFIs.

So do you seriously put forward $6.6 million as a number? Perhaps. If you’ve always secretly wanted your peers to refer to you as Chicken Little. If you’re looking for some way for leadership to perceive you as more hysterical. If credibility is burden with which you’ve never been comfortable. Or If you’re leaving for another job, dislike your employer, and never want to use them for a reference. In that case, $6.6 million is the number for you.

If you like your job, value your career, or have just plain worked hard to esablish your credibility as an Info Sec profesional – try this. Research services can give you a range of approximate per-record costs, which you can use to create worst-, best-, and mid-case scenarios. Your acquirer may be able to supply yhem as wel. Your acquirer can also help you out with the differences between card-present breaches and card-not-present breaches, prohibited data fines, PCI DSS non-compliance fines, and the like. Compromise costs are unique to the company, the industry, and the breach. In the end, if you put a little bit of effort into the exercise using credible sources, you can put together an estimate tailored to your organization using a defensible methodology. Good luck!
Walt Conway Says:
April 2nd, 2010 at 12:22 pm
Thanks for your comment, Dave. I think we agree on the importance of having a realistic, practiced incident response plan in place. My point was that a plan without resources is going to be difficult/impractical to implement. Whether the resources are budgeted or specifically identified is less important than the fact that there is some allocation.

As for the $6.6 million number, I noted it is “not precise.” Maybe you missed my following tongue-in-cheek note immediately following that “It helps to keep in mind that 92 percent of all IT statistics are made up.” Perhaps I should have added “…including this one”?
Todd Aument Says:
April 2nd, 2010 at 3:33 pm
The PCI Glossary defines a risk analysis as:

“Process that systematically identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure. ”

In that context, unless you have your own personal breach data, quantifying your loss exposure is probably best done with industry standard research data. Whether you use the Forrester numbers, Ponemon numbers, Verizon numbers, or some other formal research data, you should assign a dollar value to your assets and loss exposure. (call it loss potential or loss expectancy or cost of occurrence, whatever you wish)

Your number for catastrophic breach may be $1,000, $1M, $6.6M, or it may be $1B. The point is to define it and use it as input to your risk analysis.

If you’re spending a dollar to protect a dime, you might want to rethink. If you’re spending a dollar to protect a million, you can probably count on losing your million.

Your risk analysis may identify some risks that pose a high likelihood of occurrence or exploit. Without a dollar value on your assets, how do you know what is appropriate to spend on mitigation? Without a proper (and properly budgeted) mitigation strategy to lower the likelihood, budgeting for that breach might, sadly, be appropriate. Grain of salt not included.
John Cartwright Says:
April 6th, 2010 at 12:43 pm
Dave’s examples of the InfoSec guy being the butt of jokes and likely being ostracized as a result of budgeting six figures for a breach that may or may not happen is valid, but what about the InfoSec guy at the company that actually got breached? Budgeting or not, if your job is managing security and that security is compromised, I submit that that person should probably start shotgunning resumes ASAP to as many people as possible.

Walt’s point about this budgeting exercise driving more security awareness is excellent. PCI is a proactive exercise, budgeting for a disaster scenario should be a key piece of that planning.
Dave Says:
April 28th, 2010 at 11:47 am
Don’t forget the ability to transfer risk via insurance. You can get $5M of coverage for as little as $25,000.
(Editor’s Note: This is a good point, but this commenter happens to work for an insurance broker. It doesn’t make the point any less valid, but wanted to make sure readers have enough information.)
BD Says:
April 29th, 2010 at 1:05 pm
I’ve been around this block. The first commenter (Dave) is correct that budgets are operational exercises. More to the point, budgets are for the purpose of holding managers accountable and limiting their spending authority. Budgets work well for planned spending, but not so well for contingencies.

Dave #2 is also correct that whole reason for insurance is to fund contingencies. You can budget for the insurance premium, as opposed to having to estimate the value of the contingency.

Ultimately, however, the real question is, do you have access to the CASH needed to cover the cost of the breach? Whether budgeted or not, you will need sufficient cash… this is where your treasurer comes in. You can plan to get contingency cash from retained earnings (i.e. you have the money in the bank), a line of credit, an insurance policy, additional investor capital, or whatever other method is available to your firm. The point is, unless you have a plan for where that CASH is going to come from, and some idea of how much you might need, you have not completed your contingency planning.

And yes, I do work in corporate risk management.

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.