Cybersecurity and Costs

Cybersecurity Costs

By Charles Parker, II

I have consulted with a company recently. They were reviewing the ISO27001:2022 certification. This, depending on the circumstances, could be a heavy lift or not too bad. This is entirely dependent on the environment. After the initial review and recommendation, the first comment was the business didn’t have the budget for the tools, staffing or anything. This left me a bit confused, as the certification process is not inexpensive.

This reminded me of the budget process. The C-level and senior management don’t at times understand security’s role. They instead think like an accountant and try to arrive at an ROI (Return on Investment). This has the propensity to be very difficult. When you try to commoditize this, there are problems.

When I hear this, my thoughts run to how much would a network compromise cost with the additional ransomware thrown in for good measure, even with cybersecurity insurance? How much would it cost for your connected medical devices to be breached and malicious code put in the firmware, with three or four patients feeling the effects? There are the direct costs, of course, but also the indirect cost of reputational risk. These are a few things to think through.

About the Author

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries