Sunday, June 22, 2003

Security "Return on Investment"

The June 03 SC Magazine offered several excellent articles. Peter Stephenson discusses new forensic certifications, like the Certified Information Forensics Investigator (CIFI). (If you qualify by 31 Dec 03, you might be able to grandfather the cert without sitting for the test.) The same issue featured a case study called Tracking Down Cybercriminals. Unfortunately, SC Magazine quotes an Addamarkl survey saying "companies are unwilling to prosecute hackers, even when they have enough evidence for legal action. Information security departments said they preferred to fix the damage or use forensic evidence to achieve a settlement with the wrongdoer, rather than opt for legal proceedings." This is too bad, as an article by Mark Doll of E&Y discusses the effect of security incidents on share prices. In short, within three days of X, share prices dropped by Y:

  • "significant security breach": 5.6%, or $15-$20 million on average

  • "theft of credit card data": 15%

  • "denial of service": 3.6%

  • "theft of customer information": 1.2%

Finally, I say forget all this talk about security providing "return on investment." Page 15 of the Deloitte Touche Tohmatsu 2003 Global Security Survey shows 63% of executives see security as "a necessary cost of doing business." Only 13% say security is "an investment in enabling infrastructure."

No comments: