Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

Macro or Micro? (cont.)

The Economics of Cybersecurity

The real world

A better option is to provide metrics tied to real-world examples and experiences, both in-house and externally. One metric that's hard to capture but extremely useful, according to Borg, is the value of a company's security for its external customers. In order to calculate this you've got to step into their shoes, he says. "If you shut down your water for a week, the cost of losing your water is not what customers pay per day for water. The customer captures most of the value from the water," he explains. "The same is true for airlines. If you ground an airline or get rid of a favorite, convenient route, the cost to the customer is hugely more than the hard cost to the airlines."

Perception vs. Reality
21% The percentage of energy and utility companies that believe their security and risk management strategies are more than 90 percent effective

21% The percentage of energy and utility companies likely to have a major information loss more than once a year

[Source: INFORM Benchmarking, www.symantec.com/inform]

If something costs customers enough, they may not be your customers very long. This is why every security discussion should include analysis about how much each of your customers is worth, says Borg. "The cost of information theft is greatly underrated," he says. "The cost of anything that causes someone to lose faith in an enterprise is huge. This is why measuring the success of a company initiative by how long the system is up and running is bad. It matters more how successful it will be at keeping your customers on board."

So where do you find those numbers? Benchmarking is useful, says Gary Lorenz, a member of New York-based Ernst & Young's security practice. "Compare your proposed project to the industry: What would be the next level? Where are we, and where have we been?"

Finally, says Borg, you should make sure you're not overestimating the cost of a security breach by ignoring the fact that in many cases, the outage or loss doesn't impact a business as much as you might think. "If you're trying to estimate cost metrics by adding up lost capacity, you have to remember there's always a substitute for that service," he says. "If the Web site goes down, people will call your call center. If computers go down, you can take orders on paper. Sure, it's a nuisance, but the costs are not going to be huge. Figure out what your substitute procedures are and how you can recover in the short term."

New York-based Karen J. Bannan also writes for The New York Times, PC Magazine, and Fortune Small Business.

<< prev 1 2 3 4


Article Finder
>



TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation