The Ponemon Institute recently completed two interesting studies on IT security. In the first, its annual “U.S. Cost of a Data Breach,” the research firm focused on privacy, data protection and information security policy and found that the cost of data breaches in the U.S. is rising. According to the report, the average cost in 2010 hit $214 per compromised record. That's markedly higher when compared to 2009, when the figure was $204.
The costs associated with data breaches include those related to notifying customers, legal fees, investigations and lost business from what Ponemon categorizes as abnormal customer churn. And it appears that enterprises that respond quickest to the breach actually end up spending more than those that are more deliberate in their response. That's because in the rush to get the alerts out (as required by many breach-notification laws), companies overnotify parties, the report says, and this little contribution they make to damaging their own reputations actually increases customer losses.
The second Ponemon survey, of more than 2,400 IT security administrators from around the world, found security complexity is the No. 1 challenge faced by organizations. Undertaken in conjunction with vendor Check Point Software Technologies, this report, entitled “Understanding Security Complexity in 21st Century IT Environments,” (a release about it is here), found that more than 55 percent of companies now are using more than seven security vendors.
And, as cloud computing, mobility and the consumerization of enterprise devices increase, the complexity associated with securing systems and data will, too.
What can an enterprise architect do about all of this? Plenty.
First, (as we noted in my previous post), a security architecture that is aligned with the business requires an adept enterprise architect who early on helps integrate security into the design and requirements phases of a deployment. Efforts here will help reduce the costs and complexity of IT security overall, because it is much less expensive and difficult to build systems that are secure from the start than it is to bolt security on later, and because it makes for a much more resilient infrastructure.
Second, enterprise architects know where the regulated data is stored, where it's processed, and how it's transferred and shared across systems. So they can reduce the complexity of dealing with information that falls under the scope of regulatory compliance mandates by fostering solutions that limit the sprawl of personally identifiable and other forms of regulated data. Their work may not only help limit the number of systems that could possibly fall victim to a reportable attack, but may simplify defenses, too.
And, should a breach occur, those efforts will make it easier to rectify and remediate. And, as is pointed to by the Ponemon study, that’s work that directly correlates to the costs of a breach, so anything that smoothes those processes is a win. For instance, the time spent during the forensics investigation will be reduced because the affected systems will be known right away. Also, the impact of that breach will likely be lessoned because security controls – adequate segmentation, encryption, access controls -- will have been built as part of the system.
They are just a couple ways the enterprise architect can help simply security and reduce the cost of data breaches. What strategies do you employ to streamline the security efforts at your enterprise?