Risk, Information Security, and Economics

Economics is changing information security. You can help write the new rule book.

Meanwhile, CEOs and CFOs are demanding accountability for every dollar spent, providing new incentives for CSOs—and security vendors, analysts and consultancies as well—to help prove themselves worthwhile. As a result, companies are starting to calculate a return on security investment, based primarily on the cost of security, the cost of breach and the probability that it will happen.

It would be naive at best to suggest that any of this is a science. "We're just leaving puberty," is how Katz describes the field of information security. Far from knowing the answers about how much money to spend and where to spend it, we're just starting to know the questions.

But one thing is certain: In the coming years, the information security community has the chance to work with auditors, economists, accountants, lawyers, insurance companies and a bevy of other experts to find ways to put structure around the money spent on information security. The ability to join in this dialogue is vital to individual CSOs and the burgeoning professional as a whole. But, to hear at least one observer tell it, the convergence of risk management and information security might have even greater implications.

"I think this is going to make or break the economy," says Thomas Koulopoulos, president, CEO and founder of the Delphi Group. "Unless we can find a way to more securely, and with greater trust, transact across enterprise lines, I don't think we're going to have the economic growth everyone is hoping for. I think this is fundamental to growing—and I hate to use this phrase—a new economy, if there is a new economy out there."

For your business and profession to survive, you have to play the game of risk. If you want to win, then help write the rules. We'll help you get started.