Here’s what I consider the biggest contradiction in cybersecurity: the most-financially-damaging, reputation-destroying security incidents almost always involves the theft of millions of database records. Yet, data security is one of the smallest line items in a security budget.
Consider that total spending on security is forecast to hit $124 billion in 2019. Data security comprises less than 3 percent of total security budgets. Data sec investment is dwarfed by almost every other sector, from identity access management (3x more), to network security equipment (4x larger), to security services (a whopping 18x larger!).
If data, whether big or small, is the lifeblood of the modern digital business, and the most tempting target of cybercriminals, then why do companies keep skimping on protecting it? Don’t tell me it’s because they feel safe behind their network perimeters. Today, with the cloud, mobile and IoT devices, and the persistence of insider threats such as malicious, careless or compromised (think: phishing) employees, the perimeter has become too fluid and fractured to guard well.
Security experts agree that we’re living in a post-perimeter world, where trying to raise the castle walls and strengthen the virtual gates has little effect. Yet CISOs and their organizations are still investing a lot more into the walls and the gates rather than protecting the data at its source.
Obviously, enterprises realize their data is valuable, and that there are huge financial and operational risks if it is lost or stolen. However, it’s difficult to put that security risk into actual dollars that can then inform where and how much they should invest in data security.
What we need are frameworks and models. Gartner analyst Douglas B. Laney describes some in his book Infonomics. “Infonomics provides the framework businesses and governments need to value information, manage it, and wield it as a real asset,” he wrote.
With Infonomics, organizations can, according to Laney, “tackle the challenges and best practices for managing all forms of information as assets, including how to build an infosavvy organization.” I feel that this model is super-useful, and will herald a sea change in how companies treat their data. Gartner predicts that “by 2022, 30% of Chief Data Officers (CDOs) will be working with their CFOs to formally value their organization’s data assets for improved data management and benefits.” It’s my view that many will use techniques and models informed by Infonomics.
I encourage you to read this Gartner report, “Develop a Financial Risk Assessment for Data Using Infonomics,” which covers similar topics. Co-authored by Laney and two other Gartner analysts, Brian Lowans and Richard Hunter, it explores how security and risk management leaders lack methods to balance financial investment opportunities with the business risks related to data and how new infonomics-based models will help them distill the financial risks caused by security, compliance or processing incidents. Here’s one figure that I find particularly useful from the report, the Financial Risk Prioritization Matrix (Surprise! It’s a quadrant!):
For any security professional looking for an actionable methodology to value data assets and then create a justifiable budget or investment plan to protect them, we believe this report is it. Get your complimentary copy here.
Gartner Develop a Financial Risk Assessment for Data Using Infonomics, Brian Lowans, Richard Hunter, Douglas Laney, 30 January 2019.
Gartner, Infonomics, Douglas B. Laney, 2018.