ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Posts Tagged ‘Cost of Security Compliance’

Quantifying Risk and Cost of IT Security Compliance: Part 1

Thursday, February 4th, 2010

This week’s blog is Part 1 of 5 parts of a series.

Over the years many IT security professionals have told me about their challenges of getting the appropriately sized security budget approved.  In my opinion many senior executives believe that if they have not endured a serious security breach, then there simply are not any security risks.  That is my motivation for writing this series.

Executive Summary

IT security and security compliance are expensive to successfully achieve.  Now pile on privacy compliance and an array of regulatory compliance obligations and the costs skyrocket.

The key to getting the IT Security Governance committee to fund the appropriate compliance budget is to speak their language.

In order to do that, risks need to be expressed in terms of costs for executives.  Specifically costs need to be identified as: Potential cost of losses, mitigation costs, the total costs (potential cost of losses + mitigation costs) and residual costs.

In order to be clear and meaningful for the intended audience, the material should be presented graphically, presenting changes in both cost and risk over time.

This trending analysis is most useful for supporting the ability of the IT Security Governance committee to make well informed decisions on how to most effectively invest in security, thereby deriving optimal payback for stakeholders.

Identifying Risk and its Business Impact

The costs of risk associated with IT security / privacy and non compliance of regulatory / standards and the resulting negative impact on business can be broadly identified as follows:

1. Loss of revenue or production due to unavailability of production resource.

2. Time and effort to recover from a security related loss of production.

3. Legal.

4. Damage to brand.

5. Regulatory compliance violations.

6. Privacy compliance violations.

7. Damage to client and vendor relationships.

8. Loss of intellectual, competitive or proprietary information.

9. Un-captured profits resulting from inability to demonstrate to clients / vendors / partners a strong security process.

The cost of risk is the resulting impact on business that may be incurred should a risk become a reality or an event.  Determining the cost of a potential event is difficult at best.  However, it can be accomplished by employing one or more quantitative and qualitative methods, and should be undertaken by those most qualified to do so.

Those most qualified are unit profit and loss managers, stakeholders, and executives with insight into quantitatively how an event would affect their work domain.

The cost of various types of events can be viewed as categories of low, medium, and high cost.  This qualitative analysis is not useful in itself, but it may assist management on how to prioritize the order in which they will perform a more in depth risk analysis.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditors

www.ere-security.ca

Tags: , , ,
Posted in Information Security | 7 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button