McAfee today released their report on the ‘state of security’ 2012. 19 pages of interesting reading is let down by one thing: the inevitably low quality of the quantitative information they obtained. Highlighted in their report is one critical statement that should, if it stacks up, demonstrate the value we in the information security profession bring to our organisations. The statement? That organisations with a mature security stance face costs of a data breach just half that of their less mature competitors. Instant value to the tune of $0.5m per incident.
Before we all pat ourselves on the back however, it’s worth taking a moment to consider the quality of their information, and the report gives us all the information we need to do that.
Firstly, it tells us that only around a third of respondents were confident they were able to assess this financial impact. When you consider that those companies who can quantity this are unlikely to have the same security profile as the other two thirds, you are already left wondering whether their calculation is of much merit.
Later in the report, McAfee reveal that again only around a third of respondents felt they were both aware of their security risks and protected against them (a worrying 38% said they were aware of the risks but didn’t feel they were protected against them, and a scary quarter of respondents felt adequately protected but didn’t know what their risks were).
What does this mean? Quite simply, that in addition to not really being able to assess how much incidents that were managed and detected actually cost, it’s quite likely that most incidents simply went under the radar because either the company didn’t know to look for them, or didn’t have the controls in place to detect them.
Overall, it’s a pretty fair reflection of where we are as an industry. But there’s nothing worse than misinformation, and so far attempts like this to quantify the costs of data loss and the value of security are sailing very close to the wind.