Report: CISOs Keep Breach Costs Lower

Companies continue to pay a high price to clean up the mess created by a data breach, but having a Chief Information Security Officer (CISO) may offer some protection. That is the conclusion of a study released Monday by the Ponemon Institute, a Michigan-based consultancy that conducts independent research on privacy, data protection and information security policy.

This is the fifth year Ponemon has conducted its “Cost of a Data Breach” survey, which examined actual data breach experiences of 45 U.S. companies from 15 different industry sectors. This year, the cost of a data breach has increased to $204 from last year’s $202 per customer record. However, companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.

Approximately 40 percent of participating companies had a CISO in charge of managing the data breach incident, according to the survey.

“While other functional areas are typically involved in crisis management activities surrounding the data breach, our results suggest CISO leadership substantially reduces the overall cost of data breach,” the report states.

“The one big take away on positive takeaway is that in (companies) that have CISO involvement, breaches tend to cost less because they have a more strategic view of protecting data than the old idea of whack-a mole, fix-it a hundred different times, ” explained Phillip Dunkelberger, president and CEO of PGP Corp., which co-sponsored the study. “CISO involvement at a higher level means less cost of a data breach and less chance of repeating it because of the strategic view of protecting it that these professional take.”

While the cost of a breach only rose two dollars per record this year, Dr. Larry Ponemon, founder and chair of the Ponemon Institute, pointed out the massive increase in cost over the five years since the study’s inception, when breaches cost $138 per compromised customer record. In figuring out the costs, the study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. The economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates, is also analyzed.

Other highlights from this year’s research include:

– Forty two percent of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are most costly. The per capita cost for data breaches involving third parties is $217 versus $194, more than a $21 difference, according to Ponemon.

-Twenty four percent of all cases in this year’s study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence. The per capita cost of a data breach involving a malicious or criminal act averages $215. The per capita cost of a data breach involving a negligent insider or a systems glitch averages $154 and $166, respectively.

-Thirty six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop is $225.

“Its not just about bad guys, but also good guys who make mistakes,” noted Ponemon.