Monday, February 2, 2009

Inflation in the Online Crime Sector

I'll get back to the employee evaluation stuff at some point.

Today, though, an article in the Wall Street Journal (Feb 2, 2009) caught my interest. The article is derived from a press release issued by PGP, the company that commercialized the free secure email software we all knew and wanted to use, but couldn't, due to the lack of any decent public key infrastructure.

(As an aside: a single desktop license for PGP encryption software runs over $300. Wow! I guess if free doesn't work as a business model, try exorbitant!)

But I digress.

PGP hired some folks to survey the IT community (“43 organizations across 17 different industry sectors”), and found that the cost of an average data compromise event in 2008 rose 2.5% year over year to $202 per record.

This number is important, because the best weapon the CIO can wield in the battle for budget dollars is a set of hard figures quantifying risk. How many customers do you have? Ten thousand? Congratulations – a single inadequate security process can cost you $2,020,000. Think that's a lot? Actually, it isn't: the survey revealed that “[a]verage total per-incident costs in 2008 were $6.65 million.”

When it comes to getting budget for access control, identity management, security, and related matters, it's possible to rely on the newspaper argument. That conversation goes like this: “We can spend a few extra bucks ensuring that our database is locked down, or we can wake up one morning to find your picture in the paper, next to the headline, ‘Executive's Parsimony Results in Massive Identity Theft.’” That position has definite emotional appeal, but in the end, the pure dollars and cents argument wins the day.

No comments: