According to the 2015 Information Security Breaches Survey, 44 percent of both large and small organizations increased their security expenditure in 2015 compared with 53 percent and 27 percent in 2014, respectively.Despite the increase in expenditure, however, 90 percent of large organizations and 74 percent of small organizations reported that they had suffered a security breach – up from 81 percent and 60 percent only one year ago.It’s nice to imagine that these enlarged security budgets were well-spent, but the evidence doesn’t support this.The truth of cyber crime is that it’s cheap. It costs almost nothing to hire a botnet for a DDoS attack, hacking software and malware is almost free, while finding people willing to jump on board and help out for notoriety or a cut of the profits is readily facilitated by the anonymity of the Internet and, increasingly, the Tor network.To manage cyber risks, we often need to spend much more than our adversaries, which seems utterly unfair.The damage our enemies can inflict, however, can be catastrophic. Ponemon Institute reports that the average cost of a data breach now sits at an astonishing $6.5 million.So, on balance, we should have enormous security budgets capable of seeing off almost anyone – but that’s not possible for most organizations. Instead, facing the realities of business, we must focus our spending wisely, taking advantage of all of the available evidence and walking that fine line between protecting ourselves and being fiscally responsible.Assess the risks – know your enemy and know yourselfThis is why risk assessments are so essential, and why they form the core of ISO 27001 – the international standard for information security.Knowing which risks are applicable to which information assets should drive information security management decisions and enable the business to balance expenditure on controls, against the likely result from security failures.This isn’t the whole of the problem, though. It’s difficult to judge how much damage a cyber risk presents because information is ephemeral – a computer has a relatively fixed value but data can be stolen or lost in vast quantities and in a myriad of configurations.Losing a million ZIP codes probably won’t cost you much, but losing a thousand credit card numbers most definitely will.A risk assessment regime focuses on protecting against whole risks, rather than simply protecting the assets. This is an exercise in perspective – protecting an asset from damage or loss is taking an isolationist approach, while protecting a whole range of assets from a single, specific threat unifies your defenses, keeping processes consistent and minimizing investment requirements.An effective risk management regime must operate on the basis of good intelligence, both regarding the threats from outside and the value of the organization’s information assets.Armed with this data, it’s much easier to present solid, evidence-based arguments for suitable budgets and to secure stronger long-term ROI.It’s not just about getting the money, it’s about getting the money to work for you.
About the Author: Luke Milner works at IT Governance.