Economics of cyber security
Data breaches have become as certain as death and taxes. Traditionally, information security has been regarded as a business inhibitor instead of a business enabler," said Simphiwe Mayisela, information security officer: office of the CIO, Internet Solutions.
"Experience shows that information security departments have always been viewed as departments that impose more rules, more password restrictions, more limitations on access, more barriers and firewalls - the security teams are effectively seen as teams comprised of individuals with a 'badge, gun and guard-dog' attitude," continued Mayisela.
"However, executive management is not primarily concerned with how well the security solutions protect sensitive information. Rather, executive management is concerned with the benefits gained from investing in security solutions and how this investment influences the organisation's net earnings per share," he continued.
Executive management needs to know if the investment on security solutions is financially vindicated and if it would render the business secure, he added. "Additionally, they need to know how much the lack of security is costing the business, how much value greater security adds to business, or how much more a secure company is worth compared to an insecure one."
The challenge faced by executive management was to define an absolute metric to be used to qualify the business as secure, Mayisela elaborated.
"The terms 'secure' and 'insecure' can be perceived differently by different individuals. In our experience, security discussions do not form part of an agenda for executive management board meetings unless if there has been a security incident that has a significant business impact such as fraud, violation to a statutory requirement, leakage of sensitive information such as company's intellectual properties, trade secrets, or information about mergers and acquisitions.
"This raises questions regarding the knowledge and observation of the existence of information security leading to a tough experiment stating that the existence of an object is determined by how it is perceived, comprehended, seen, or heard. That is, if a tree falls in a park and no one is there to hear it when it falls, one can assume that the tree never existed. Similarly, if a security incident takes place and it is not detected, executive management assumes that there was no security incident and that the business is secure," said Mayisela.
"This flawed thought process, it should be noted, affects executive management decisions in a various ways; 1) Management not being able to place a financial value on security; or 2) Management not realising their return on the investments they have put on information security," he concluded.
Mayisela will be chairing ITWeb's Governance, Risk and Compliance Summit 2016 in February at Summer Place, Hyde Park in Johannesburg.