Data Breaches Less Costly with Strong CISO

Ponemon Institute's latest report on data breaches shows putting the CISO in charge of the detection and notification process can makes a difference in your bottom line.

When data breaches occur, strong leadership from the chief information security officer can make a difference in the damage done to your corporate budget, according to new research from the Ponemon Institute.

In its latest look at data breaches the institute found that in the five countries studied (U.S., U.K., Australia, France and Germany), CISO leadership in the aftermath of a breach slashed the cost per compromised record by an average of 21 percent compared to companies without such leadership. The benefits were highest for companies in Germany and the United States, where costs were reduced 45 and 33 percent, respectively. Despite this finding however, only 40 percent of the breaches in the U.S. and 36 percent of those in Germany were managed by the CISO.

"Centralizing an organization's approach to data management and protection usually means following a cohesive strategy instead of an ad hoc approach," Dr. Larry Ponemon, chairman of the institute, told eWEEK. "Without a single point of accountability you may have vastly different approaches to information security from department to department and no one looking out for the best interests of the company. A good CISO/CSO will understand the company's mission and be able to marshal available resources to make sure everyone in the organization is working toward that mission with full awareness of relevant laws and regulations, internal policies, and industry best practices."

The study, which was commissioned by PGP, took a look at data breaches experienced by businesses around the globe in 2009. According to their findings, breaches in the U.S. last year cost an average of $6.75 million, or $204 per compromised customer record. The overall average across the five countries was $142 per record.

Countries with data breach notification laws naturally had the highest costs. For example, the U.S. had a cost per record that was roughly 43 percent higher than the global average. Germany, which passed data breach legislation in July 2009 had the second highest cost per record, reaching 25 percent above average.

"By forcing (breaches) into the public view, there's a greater likelihood that companies will act in their best interest to take steps to avoid a public event," Ponemon said. "That means investing in preventative measures, for example. You can be cynical about the reasons, but if a company takes steps to prevent an embarrassing data breach for the sole purpose of avoiding a damaging headline, the resulting increase in security should still be seen as a positive."

While the cost of data breaches fluctuates from year to year, one thing has remained the same - employee negligence is the leading cause of data breaches. In the U.S., negligence accounted for 40 percent of the breaches analyzed by the institute. Just under a quarter of the breaches (24 percent) were caused by malicious or criminal attacks.

"This is a frustrating statistic because it seems that addressing employee negligence would be the easiest, least costly way to make the most significant gains in data protection," Ponemon said. "Give yourself more time to check in at the airport; don't leave your PDA in the taxi; don't plug into an unsecured home network; don't disable your laptop's encryption... education and awareness can create a more vigilant, security-conscious culture, yet we see employee negligence remains atop the charts."

However, breaches due to negligence tended to be less costly than others, the research found. Malicious attacks did the most damage to corporate pocketbooks, and cost much more in countries without data breach notification laws. For example, malicious attacks in France and Australia cost 121 percent and 61 percent more respectively per compromised record than average. In the U.S. by contrast, the cost per record only went up seven percent.

The report recommended businesses take a number of steps to reduce the likelihood of data breaches or minimize their impact, including: ensuring portable data-bearing devices are encrypted, vetting and evaluating the security posture of third-parties they share data with and drafting communications that clearly define the root causes of a breach to minimize customer turnover.

"It doesn't matter where they're located, if a company gains a reputation for being careless with confidential data, the brand will suffer," said Phillip Dunkelberger, CEO of PGP, in a statement. "Data is currency, it needs to be protected. Data breach notification laws mean consumers are informed; more countries around the world are looking to tighten their data protection legislation as they realize lost data means an increase in customer turnover."