What is the “Holy Grail” of enterprise cybersecurity, you may ask?
It turns out that for many IT professionals — and especially CIOs — it is return on investment (ROI), which measures benefits of an investment versus its costs.
“Everybody wants to get that return on investment for something that doesn’t happen,” said Chris Porter, chief information security officer at Fannie Mae, during a panel discussion at the MIT Sloan CIO Symposium held in Cambridge, Mass., May 24.
ROI in cybersecurity involves “trust,” said James Kaplan, a partner at management consulting firm McKinsey & Co. “The digital economy requires trust; digitized enterprises require trust … Without the appropriate investments in cybersecurity, trust doesn’t exist,” he said.
Boards need to think of enterprise cybersecurity ROI in a number of ways, depending on their industry, Kaplan said. First, they need to think about security from their customers’ perspective. Second, they need to consider their most important information assets. “We have security to protect certain data and certain transactions. Third, they need to think about the harm that compromise of that data would cause to the organization. Then, they can think about what security measures to put in place to protect those assets to reduce the risks,” he said.
Enterprise cybersecurity: Data breach costs
Porter, who directed Verizon’s Data Breach Investigations Report team before joining Fannie Mae, stressed that calculating the costs of enterprise cybersecurity failure can be challenging.
There are many costs from a data breach of sensitive personally identifiable information (PII), such as Social Security and credit card numbers. These include buying credit monitoring and notification services for the breach victims, around $20 per record. If the company loses 1 million records, that’s $20 million just for credit monitoring. Other losses include brand damage, lost business, legal costs, and PR expenses, he said.
Another type of cost from a cyber event is downtime from a distributed denial of service (DDoS) attack or ransomware. This has a different set of criteria than a data breach for estimating losses.
“When you start aggregating data together [from different attack types], things start falling apart because we really don’t understand the interconnectivity of how all of the controls work together,” Porter said.
Kaplan noted that companies also have to consider the losses from theft of intellectual property. “How valuable is intellectual property and can the people who stole it make any use of it?” he asked. He noted that these questions are difficult to answer.
Valuing intellectual property
Andrew Stanley, chief information security officer at Dutch technology multinational Philips and the panel moderator, challenged Kaplan’s assertion that it is difficult to value intellectual property. Philips generates around 3,000 patents and spends around $2.3 billion on research and development every year.
Stanley said that Philips is able to estimate the aggregate value of its IP portfolio and to identify which bad actors might be interested in particular IP. The company can estimate that a portion of its IP portfolio is under threat, for example, 10 percent. And if a breach occurs, it would cost the company around $200 million based on that percentage.
“While this is not precise, we can use the aggregate level and bring it to the board. We can say, if we do not pursue this, you are putting $200 million at risk. So we monetize the threat in a way the board understands. The board is used to making assumptions like that around intellectual property,” Stanley said.
Jim Cupps, senior director at Liberty Mutual, questioned whether companies can actually aggregate risk and losses in that way. “When you try to aggregate risk over your portfolio, you are missing all of the counters and controls, and you are missing where the overlaps are that could be potentially catastrophic … The struggle I have is how do you go from a quantitative model to a more qualitative model based on CIA [confidentiality, integrity, and availability] and compliance.”
Cupps noted that estimating loss in terms of availability is more straightforward than estimating loss in terms of confidentiality and integrity. Hackers originally tried to bring systems down with their attacks, so estimated loss was easier. Then, they shifted to stealing confidential information, making loss calculation more difficult. Now, with hackers using ransomware, there is shift back to calculating loss in terms of availability, he explained.
When you try to aggregate risk over your portfolio, you are missing all of the counters and controls, and you are missing where the overlaps are that could be potentially catastrophic.
— Jim Cupps, senior director at Liberty Mutual
“Now that we are shifting to ransomware, where they are making money by the loss of availability, I’m wondering if there is another shift that will make it easier to make these ROI calculations,” he said.
Complicating the ROI picture for enterprises: Third-party vendors who handle their confidential data can pose a risk to that data if they do not have robust security measures in place. A perfect example of this is the announcement earlier this month of a data breach that affected Verizon.
During another panel at the symposium, Stanley described how his company handled a major data breach involving a third-party vendor that resulted in payroll data of 4,000 Philips employees showing up on text storage site Pastebin.
The employee information that was disclosed included payroll and bank IDs, Dutch national identifications (driver’s license and passport number), home addresses, and other information that could be used to steal employees’ identity.
Before determining where the breach occurred, Philips informed the Dutch Data Protection Authority about the breach and set up a crisis response team.
The team filed take-down notices with Pastebin and a number of search engines, he said. The company’s security analysts scanned the network to find out whether the data could have leaked from inside the company and whether additional breaches from the payroll system could occur. The penetration experts looked at how the breach could have happened and what were the potential entry points for the hackers, he added.
Overall, the process took a month. Eventually, Philips was able to show that the breach occurred at a downstream payroll processor and informed the processor that it had to take care of the breach. “We told them, ‘You’re going to take care of it. And if you don’t take care of it, things will become very bad for you very quickly,’” he said.
Also on the panel was James Lugabihl, director of execution assurance at payroll processor ADP. He described a 2011 data breach he handled at a previous employer, a Fortune 150 company. He said that a sophisticated attack was carried out by a nation-state actor that was looking to steal intellectual property.
The attack began with a phishing email containing an infected Excel spreadsheet that an employee opened. Suddenly, “We were in the news,” he said.
Lugabihl said that his team received full support from the corporate leadership and was able to identify, quarantine, and remove the adversary from the network.
Following the breach, the company examined how such a breach could have happened and how it could be prevented in the future. The security team looked at the company’s network segmentation to determine if they had the right segmentation in place to prevent an adversary from moving around the network laterally. It also looked at how the company was managing privileged administrator accounts to prevent someone from maneuvering around the network. The team even looked at the response of the help desk to see if it had inadvertently aiding the attackers in any way.
The bottom line from these panels is that most companies will be breached by attackers at some point, and they need to prepare for that eventuality. Investment now in enterprise cybersecurity will prevent major losses down the road from cyberattacks.
Photo credit: Shutterstock