There are a lot of things we cannot quantify in information security. How risky certain system configurations are and specific information lost in a breach come to mind. Even the things we can quantify often fall on deaf ears because the information is not presented in their terms.
But what if you could quantify some things, big things that management could understand? I'd say you'd at least take your credibility up a few notches. You'd probably help your business avoid the headlines in the next big breach. Well, according to a recent Javelin Strategy & Research survey titled "Avoidable Collateral Damage from Corporate Data Breaches," looking at the views of data security and privacy of over 5,000 consumers in the U.S., there are some nice new pieces of information that you can quantify. And share with management. And use to build your case for security improvements.
Here are some interesting findings from the Javelin survey:
- If a credit card merchant (i.e. retailer) experiences a breach, 33% of consumers said they strongly agree or somewhat agree that they'd shop elsewhere.
- If a financial institution/credit card issuer experiences a breach, 24% of consumers will find another organization with which to transact business.
- If a healthcare provider experiences a breach, 30% of patients will defect.
That's big news and it's the very information you can share with executive management to get the point across that information security – and breaches – are a big deal, even for your organization.
What's also interesting about the Javelin survey is the number of people who strongly disagreed that they'd stop doing business with an organization that was breached: 13% for retailers, 16% for healthcare providers, and 19% for financial institutions/credit card issuers. Given these findings, I think we've come a long way from the stereotypical ignorant consumer. But we obviously have a long, long way to go to get people on board with the concepts of information security and privacy – not just with consumers but with business executives as well.
The one thing that I've discovered working for myself is that the concept of relentless incrementalism is key to getting results. In other words, when you find a cause that's good for the business – i.e. information security – you do what's right, keep doing what's right, and you never let up. There's a saying that if you swing long enough and hard enough you must eventually hit a home run. It's true.
Are you doing the things necessary today, this week, and beyond to better quantify the security challenges you face? The information is out there. The numbers have been crunched. It's up to you to find them and properly spread the word. This requires, at a minimum, you to put on your business hat and get down to the real work that all IT and security professionals are ultimately hired to do.