How Business Continuity Management Boosts Value in Your Security Program

As the old proverb goes, time is money. While much of the cost of a data breach is tied to the value of the lost records themselves, many organizations underestimate the costs associated with lost time and inefficient processes, especially when it comes to incident response.

Last month, IBM released its “2018 Cost of Data Breach Study: Impact of Business Continuity Management” in partnership with the Ponemon Institute. The goal of the study was to quantify the financial and reputational value organizations can derive by investing in active business continuity management (BCM) programs before a breach.

According to the report, organizations that have implemented proactive BCM into their incident response process have significantly reduced the time it takes to identify and contain a breach, as well as the possibility that their data will be compromised. As a result, these companies have reduced incident response costs by an average of 31.5 percent. What can security leaders learn from this trend?

How Can Companies Reduce MTTI and MTTC?

The study emphasized the efficacy of BCM practices in shrinking both the mean time to identify (MTTI) a breach and the mean time to contain (MTTC) one. Overall, MTTI has been on a slow but steady decline over the past four years. However, organizations with BCM integration reported an MTTI of 170 days in 2018 (down from 178 in 2015), while those without BCM reported an MTTI of 214 days (down from 234 in 2015), a difference of nearly a month-and-a-half. Although MTTI is generally improving, companies with BCM plans have consistently reported better numbers.

Similarly, MTTC for organizations with BCM integration was 52 days, compared to 90 for those without it. The cost savings from BCM integration stem in large part from the amount of time saved while identifying and containing a breach. The longer the attackers go undetected, the greater their loot and the damage they can do.

Organizations of all sizes should look internally at their current incident response capabilities — both in terms of reacting to and containing a breach — and find ways to make improvements. Most importantly, while a potential indicator of compromise (IoC) is under investigation, are your business operations still running as normal?

Smoothing over a response plan to minimize interruption could include running drills to sharpen response time and adjust playbooks, sharing and comparing response time averages with industry peers via information exchange channels, and leveraging technologies such as artificial intelligence (AI) to augment the capabilities of human incident responders and more accurately zoom in on trouble spots.

Add Up the Costs of a Breach

The single largest cost factor of a data breach — representing about 38 percent of costs — is the value of lost business. This number includes decreased client rosters, acquiring new customers post-breach and lost revenue from any downtime in operations.

Against this backdrop of average data breach costs ($3.86 million), the data reported shows a clear advantage in favor of organizations with BCM integration, which experienced an average total breach cost of $3.55 million, over organizations without BCM involvement, which risk losing $4.24 million.

In other words, the difference in the cost of a data breach favors organizations with BCM integration to the tune of $0.69 million.

Why You Should Automate Disaster Response

The report also pointed out the value of an automated disaster response (DR) process that also provides resiliency orchestration. While only 21 percent of organizations reported such an established function, those organizations saw a significant reduction in the daily cost of an active breach from $6,546 for a manual DR process down to $3,100 per day for those with an automated and orchestrated DR.

The lesson here is that there is a clear benefit to investing in worst-case scenarios. In case of a fire, would you organize people into a chain handling buckets of water, or would you rather have a fully automated sprinkler system that discharges in both the burning room and the surrounding area?

An automated and orchestrated DR process more than halves the daily cost of a breach. Would it be reasonable for your organization to pass on these kinds of savings? Would top leaders bet their jobs on going without it?

How Business Continuity Management Can Improve the Bottom Line

The “Cost of Data Breach Study” contains insights that chief information security officers (CISOs) and chief risk officers (CROs) can use to communicate the value of their cybersecurity strategy, including ranges of costs and benefits for improved decisions about cyber risks. It provides not only an updated picture of the time needed to detect and contain a breach, but also expected overall costs and benefits of implementing an integrated BCM function, including reducing the negative impacts on IT operations, reputation, customers and, ultimately, the bottom line.

CISOs can translate the impact of cyber risks into business and financial impacts by mapping their own figures against those of the report and generating a holistic picture of the dollars at stake. Overall, this data provides an important opportunity to demonstrate from a high level the interconnectivity of the business’s security program and its defining operations.

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...