Knowing the unknown

McAfee today released their report on the ‘state of security’ 2012. 19 pages of interesting reading is let down by one thing: the inevitably low quality of the quantitative information they obtained.

Highlighted in their report is one critical statement that should, if it stacks up, demonstrate the value we in the information security profession bring to our organisations. The statement? That organisations with a mature security stance face costs of a data breach just half that of their less mature competitors. Instant value to the tune of $0.5m per incident.

Before we all pat ourselves on the back however, it’s worth taking a moment to consider the quality of their information, and the report gives us all the information we need to do that.

Firstly, it tells us that only around a third of respondents were confident they were able to assess this financial impact. When you consider that those companies who can quantity this are unlikely to have the same security profile as the other two thirds, you are already left wondering whether their calculation is of much merit.

Later in the report, McAfee reveal that again only around a third of respondents felt they were both aware of their security risks and protected against them (a worrying 38% said they were aware of the risks but didn’t feel they were protected against them, and a scary quarter of respondents felt adequately protected but didn’t know what their risks were).

What does this mean? Quite simply, that in addition to not really being able to assess how much incidents that were managed and detected actually cost, it’s quite likely that most incidents simply went under the radar because either the company didn’t know to look for them, or didn’t have the controls in place to detect them.

Overall, it’s a pretty fair reflection of where we are as an industry. But there’s nothing worse than misinformation, and so far attempts like this to quantify the costs of data loss and the value of security are sailing very close to the wind.

Trackbacks/Pingbacks

  1. When will we understand infosecurity risk? | isrisk.net - April 3, 2012

    [...] McAfee’s 2012 security report suggests that incidents cost on average $0.5 – $1m, but also reveals that only a third of respondents had any idea what the cost was to them, and that a quarter of respondent’s didn’t feel they knew what security risks their controls were protecting them against. Until we can make an accurate quantitative assessment of security risk Boards and security professionals alike will find it hard to decide what level of resource to deploy, or how best to deploy it. Tweet [...]

  2. When will we understand infosecurity risk? | Palmer on Security - September 28, 2013

    [...] McAfee’s 2012 security report suggests that incidents cost on average $0.5 – $1m, but also reveals that only a third of respondents had any idea what the cost was to them, and that a quarter of respondent’s didn’t feel they knew what security risks their controls were protecting them against. Until we can make an accurate quantitative assessment of security risk Boards and security professionals alike will find it hard to decide what level of resource to deploy, or how best to deploy it. [...]

Leave a Reply

Leave your opinion here. Please be nice. Your Email address will be kept private.