Cybersecurity is not just a numbers game — it’s about leadership, execution, and resilience.
There is an old recurring topic in the cybersecurity industry revolving around the cost of data breaches.
Let’s start by repeating what might be obvious to readers but each data breach is likely to be different from the next, depending on industry sectors, the target of the attackers, and the level of preparedness of the victim amongst other factors.
When trying to establish the actual cost of a breach, there are line items you will always have a price tag for: The costs of forensic investigations, legal or PR work, the cost of supporting affected customers through access to various platforms, etc…
But many researchers in that space tend to push the game a bit further into business or reputational loss and that’s where the whole exercise falls into a hopeless estimation game
The 2024 “Cost of a Data Breach” report by IBM and the Ponemon Institute is quite typical in that respect.
It offers a good overview of its methodology in its back pages, but sadly, the “small print” ends up highlighting the problems with the report itself:
- Year-on-year comparisons are meaningless because the sample varies every year and because of currency conversions (participants estimate the costs in their local currency which are then converted to USD at a given rate every year);
- You don’t really know who is answering the survey; they are only identified as “security and C-suite business leaders with first-hand knowledge of the data breach incidents at their organizations”; their profile and level of experience will vary from one organisation to another; yet the dataset is based on their “estimates” which can be very tricky to make for example when it comes to “Business disruption and revenue losses due to system downtime — Cost of losing customers and acquiring new customers — Reputational damage and diminished goodwill”.
Don’t get me wrong; I don’t think the data is entirely meaningless; what is meaningless is pages after pages of number crunching down to several digits after the decimal point… all leading to far-reaching statements that are frankly misleading.
Given the obvious complexity of the exercise on a large scale and its number of dimensions, I keep wondering why those types of surveys keep coming up.
For me, it typifies an obsession of some industry leaders and security vendors I have been writing about for many years.
They think this is a numbers game. They believe that the best way to convince senior executives of the need to invest more in cyber is through some form of ROI demonstration:
· Data breaches are unavoidable
· Dealing with a data breach could cost X
· My product stops data breaches and only costs Y (much less)
· Therefore there is a potential return on investment of Z
This is interesting but it is a type of approach that has been tried for over 20 years, and simply does not work, partly because the numbers used are made up, partly because there is no single line of defence that can stop cyber-attacks, partly because every middle manager in every firm is playing that game and top execs have become immune to it.
Senior executives no longer need to be convinced that cyber-attacks are unavoidable, or of the need to invest in cyber protection. They know it can cost a lot of money or take the business down. They know there might be personal liabilities for them or others.
They need to be convinced that their organisation can execute on cyber protection and that the right leadership is in place to drive it through.
Trust between security executives and top leaders is the real currency here, not money, and that’s what CISOs should be concentrating on building.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.