Security Pros Are Your Best Defence, Says Study

Negligence causes most breaches, but the malicious ones cost most money, according to a study

When data breaches occur, strong leadership from the chief information security officer  (CISO) can make a difference in the damage done to your corporate budget, according to new research from the Ponemon Institute.

In its latest look at data breaches the institute found that in the five countries studied (US, UK, Australia, France and Germany), CISO leadership in the aftermath of a breach slashed the cost per compromised record by an average of 21 percent compared to companies without such leadership. The benefits were highest for companies in Germany and the United States, where costs were reduced 45 and 33 percent, respectively. Despite this finding however, only 40 percent of the breaches in the U.S. and 36 percent of those in Germany were managed by the CISO.

A good security chief gets people on side

“Centralising an organisation’s approach to data management and protection usually means following a cohesive strategy instead of an ad hoc approach,” Dr. Larry Ponemon, chairman of the institute, told eWEEK. “Without a single point of accountability you may have vastly different approaches to information security from department to department and no one looking out for the best interests of the company.  A good CISO/CSO will understand the company’s mission and be able to marshal available resources to make sure everyone in the organisation is working toward that mission with full awareness of relevant laws and regulations, internal policies, and industry best practices.”

The study, which was commissioned by PGP, took a look at data breaches experienced by businesses around the globe in 2009. According to their findings, breaches in the US last year cost an average of $6.75 million, (£4.42m) or $204 (£134) per compromised customer record. The overall average across the five countries was $142  (£93) per record.

Notification laws cost money

Countries with data breach notification laws naturally had the highest costs. For example, the US had a cost per record that was roughly 43 percent higher than the global average. Germany, which passed data breach legislation in July 2009 had the second highest cost per record, reaching 25 percent above average.

“By forcing (breaches) into the public view, there’s a greater likelihood that companies will act in their best interest to take steps to avoid a public event,” Ponemon said. “That means investing in preventative measures, for example.  You can be cynical about the reasons, but if a company takes steps to prevent an embarrassing data breach for the sole purpose of avoiding a damaging headline, the resulting increase in security should still be seen as a positive.”