In March, the Ponemon Institute, an independent research center that examines privacy, data protection, and information-security policies, reported the first decline in at least seven years of both the organizational cost of data breaches and the cost per lost or stolen record.
The institute’s seventh annual “Cost of Data Breach Study: U.S.,” which compiled data from 49 companies in 14 industries, found that the average organizational cost of breaches fell to $5.5 million in 2011 from $7.2 million in 2010, while the cost per lost or stolen record dropped to $194 from $214. (The study omitted breaches involving more than 100,000 records, which were viewed as atypical and result-skewing.)
According to the survey, sponsored by security vendor Symantec, there is a strong correlation between lowering the cost of data breaches and employing a chief information security officer (CISO) with responsibility for security practices, or having a third party help a company implement and govern data-security processes.
Having a CISO (or equivalent) can save a company up to $80 per lost or stolen record, the survey said. A third party can save as much as $41. It therefore becomes fairly simple for companies to calculate the return on that data-security function, which also takes into account reputational impact and customer churn.
“It takes money to save money,” says Ponemon Institute chairman and founder Larry Ponemon. “CISOs are expensive. Consultants are expensive. But they pay for themselves by managing projects more efficiently.”