Having a CISO on Staff Can Cut Down Data Breach Costs

Sue Marquette Poremba
Slide Show

Eight Ways to Prevent Data Breaches

Perimeter CTO Kevin Prince has kindly offered up several tips for preventing a data breach.

Has your company suffered a data breach recently? If so, chances are pretty good it was because of someone inside your company.


The Ponemon Institute and Symantec joined forces to comprise the 2011 Cost of Data Breach Study: United States. The report found that negligent insiders are the top cause of data breaches. Thirty-nine percent of organizations say negligence was the root cause of the data breaches.


The best way to combat these insider-caused breaches? Hire a chief information security officer (CISO) who has enterprise-wide responsibility for data protection. According to the report, having a CISO on staff can reduce the average cost of a data breach as much as $80 per compromised record. Bringing in a third-party security consultant isn't quite as good, but it is helpful. The report found that outside consultants assisting with the breach response also can save as much as $41 per record.


I see the correlation. One of the primary reasons for employee negligence is the lack of education on security policies. Having a CISO or some sort of security administrator provides some structure to the security policy and its enforcement. I'll strike up conversations with people about their network security, including whether or not they have someone on staff specifically in charge of security. Granted, mine is a small, anecdotal and personal sampling, but the vast majority of people tell me that they have no idea or don't think they have a security administrator. They also aren't really sure what their security policies are or of the basic steps beyond "my computer has anti-virus software on it" to protect their data. The ones who do have someone overseeing security were a bit more aware - at least they knew what they weren't supposed to be doing.


In a release, Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said:

One of the most interesting findings of the 2011 report was the correlation between an organization having a CISO on its executive team and reduced costs of a data breach. As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.

Of course, the report discussed other important things about data breaches in the United States, such as the cost of data breaches has dropped, as Information Week pointed out:

The average cost of a breach declined by 24%, from $7.2 million in 2010 to $5.5 million in 2011.

Also, customers seem to be more aware that breaches are pretty much a fact of life these days and are staying loyal to the brand, rather than abandoning a company after a breach. That's in part due to the steps companies are taking to repair damage to their reputation, but I would think, too, it is because more of us either have worked for a company that has suffered a breach or simply have greater awareness of them.


Still, the statistics of having a CISO really jumped out at me. Having someone around who can coordinate security policy and enforcement is going to cut down on the number of breaches caused by negligent employees. If nothing else, those with security questions will finally have a "go-to" guy for an answer.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.