There have been many articles about the cost of a security breach. With the emergence of privacy regulations that assign penalties based on a business’ profit, or those that calculate a value for each compromised record, it is possible to calculate the cost of a breach based on those metrics. However, it would seem that these hard numbers are not detailed enough to placate many security professionals.

Too many cybersecurity professionals take the unnecessarily broad leap from the quantifiable, to the speculative with ill-formed notions. Specifically, when discussing data breach costs, the topic of reputational damage always seems to enter the conversation. Yet, to many C-Level executives, this is perceived as a sensationalist ploy, brinksmanship, and an empty threat, and rightfully so. Nothing detracts more from an important message than an unquantifiable peril.

If we look to history as our guide, many disasters far greater than privacy violations have occurred, and the responsible companies have emerged, seemingly unscathed by the incident.  Some organizations have blundered to the point of causing human casualties, but they still thrive. There is no need to cite specific names and events, as we are all too familiar, and this is not meant to be a festival of the macabre. From a purely cybersecurity perspective, the continued success of even the costliest breaches is evident.

The point is that a company’s reputation will be governed by market variables, such as its solvency, and its prior reputation. When we, as security professionals engage in inflammatory and alarmist speculation, we dilute the importance of our message. Ironically, the reputation that we damage may be our own.

It has often been stated that security professionals don’t speak the “language of the business”. This has always been confusing, as it doesn’t make sense to a purely technical crowd. However, (Read more...)