The problem is that everywhere we look, we get this general feeling that we are failing. One report suggests that only 1 in 5 organizations are “very mature” in adoption of the NIST Cybersecurity Framework. GDPR is around the corner (May 2018) but some estimates show only 25% of EU countries are ready for it. Good luck to the rest when those astronomically heavy fines kick in. And how long until so many non-New York State entities are forced to follow the NY Department of Financial Services new cybersecurity regulations, just so they can keep doing business in NY? The transitional period for covered entities ends on August 28th, 2017, so you better be ready!
So fine, we get that there are regulations and statutes and frameworks, all of which need to be followed or adhered to. But there is a much more basic question that does not necessarily get asked: do you, as an organization, value cybersecurity? I am quite certain most will say “yes” but, do you value cybersecurity in the sense that it is a “nice to have” type thing or do you value it as “I need this or my life will be over” type thing?
I believe one of the greatest challenges we face when trying to address our cybersecurity issues is that we have done a poor job valuing our assets. Normally, we would hire an appraiser or an insurance company to assist with this task, in the traditional brick-and-mortar sense. If a sale were more complex, such as the valuation of goodwill, we would bring in a legal or financial firm that specializes in mergers and acquisitions. Could these firms help you when performing valuations? Perhaps they could, but these firms are still trying to get their own heads wrapped around the entire cybersecurity problem.
Ultimately, you should be able to “put a price” on your organization. In the brick-and-mortar model, it is pretty easy. I have building X, market value is Y, and replacement value is Z if something goes wrong in case of flood, fire, or whatever other “tangible” crisis you could face. Not only could you put a price on these issues, you could estimate recovery times, and possibly even have a rolodex of contractors or service providers that could help you out. And perhaps most importantly, you could budget for this tangible crisis. All this is pretty straight forward stuff. Have insurance, keep an operating line of credit handy, make sure you keep your debt leverage levels in check, have some cash on hand (also known as the “rainy day” fund for most of us).
Do we do any of these things for cybersecurity related issues?
My feeling is that we do not because we have not valuated our assets from a cybersecurity perspective. We do not know what the true cost of a damaging social media campaign could be. We do not know what the true cost of massive intellectual property theft is. And we do not know what the true cost of network downtime is.
I have a couple of theories why, in no particular order:
1) This is hard to do and when things are hard to do, we like to avoid them.
2) We do not know where to start. How many of us actually can put a dollar figure on the goodwill value of our firm?
3) We still think cybersecurity is a technical issue, so leave it to IT to figure out. (This would be a big mistake by the way.)
4) We do not have a true appreciation of how much we really rely on technology.
I could go on, but I think this is a good enough list to start with. Your question now could be: okay, stop telling me problems and start giving me solutions!
Here is my first and perhaps most important solution: put a number on what you value even if that number has to be arbitrary, especially those intangible things, like client records, intellectual property, goodwill, and brand.
Because it gives you a starting point. If I think the goodwill value of my business is worth $100,000, I will not spend $100,001 on cybersecurity measures. But if I think the goodwill value of my business is worth $10,000,000 then perhaps spending $500,000 on cybersecurity measures seems like a good idea, whatever these measures are (technical fixes, employee training, system upgrades, crisis communication plans, social media response teams, you name it).
If you think your client rolodex (which is all digitized now) is worth gold because it took your firm 30 years to build up that network, treat that rolodex as though it belongs in Fort Knox. If the reason you are able to charge a significant premium above your competitors is because you have brand value built over years of interpersonal relationships with your stakeholders, protect the band like it is the most important thing in the world to you.
But put a number on it! The value of “the number” is that you can at least start to budget what you are willing to spend, especially when you are not sure where to start.
Like I noted, this isn’t easy, but it’s necessary. And it will be an important first step to help you with your own cybersecurity challenges.
By George Platsis, SDI Cyber Risk Practice
August 22, 2017