CISOs: Pay Attention to the Cost of Lost Customers
If you haven’t downloaded the latest Ponemon Institute report on the cost of data breaches, well, you might want it… Is that a yawn? A groan from data theft marketing fatigue and breach boredom? We get it.
Talking about the financial impact of data breaches isn’t nearly as cool as dissecting hacks (ahem, Adult Friend Finder and mSpy) and monitoring the seedy hacker underground, but it couldn’t be more relevant to the needs of your organization (we do both here).
Here’s one morsel in the 30 page report that should help your reporting at the next board room: Lost business cost. It is now up to $1.57 million per breach. Ponemon writes in the report (on page 17):
As can be seen, lost business has potentially the most severe financial consequences and has steadily increased over the past three years. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.
Data breaches have frankly become too easy, too quick, and lucrative enough for criminal communities to exploit them repeatedly. It’s easy to latch on to the big numbers of these reports, because they are growing and big numbers attract headlines. The lost business cost, however, is certainly one CISOs can use to show impact that will resonate across internal business departments and executive boards. Use it in communications and reports to show trend lines, and to have categories that you can measure against.
Ponemon tracks lost business cost over three years and weighs it against other key cost trends such as detection and escalation ($.99M), notification ($.17M), and ex-post response ($1.07M). All but notification are on the rise, but lost business cost had the largest amount increase of these four areas.
Three Feet High and Rising
Have data breach costs gone up? Yup. The average total cost of a data breach is now up to $3.79 million. Between 2013 and 2015 (in fiscal years), that number has expanded by 23%, according to the report that surveyed 350 companies.
Chief information security officers (CISO) that now have an active role in reporting to executive boards routinely struggle to translate security metrics in to business metrics that map to corporate strategy and goals, say the co-founders of SecurityScorecard.
They would know. As two former heads of security at the Gilt Groupe, they understand the importance of identifying KPIs that work for security and for the business.
It is not easy to do.