What’s the value in information security? Nigel Sampson on The State of Security blog notes that, although business boards are pushing back on cybersecurity investments, “executives do not understand that one successful phishing email could cost the company millions of dollars.” (Phishing, Wikipedia explains, “is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.”)
The problem is that “Information Security leaders have to demonstrate the value and purpose for each solution that’s purchased and prove the solution that was chosen is doing the job it was procured to do. Executives are therefore requiring Information Security leaders to prove the value of the solutions in ways they understand. They need to see the value not in security metrics but in dollars and cents.”
Fair enough. Yet keep always in mind the cost of a successful intruder’s hack.