Properly Framing the Cost of a Data Breach with Executives and Boards

Jeremy Wittkop, CTO


The origin of this blog was actually my research into building a rock-solid, indisputable return on investment (ROI) model for security programs and initiatives. However, the focus changed as I began poring over statistical models and global research to stitch together all of the elements I would need in order to weave together an amazing ROI tapestry. What I initially found, and what prompted this post, was a stagnant view of the costs associated with data breaches. A view that people often process data breach costs as being linear in nature and that ignores various inflection points that trigger a worsening of the overall situation faced by an organization. A view that does not properly frame the conversation as to how data breaches actually affect an organization monetarily.

There is a lot of research, including Ponemon’s annual Cost of a Data Breach study, which does a good job of quantifying the average cost of each record lost across a large sample of records, and provides some really interesting information across multiple countries related to the difference between direct and indirect costs of a breach. It is a must-read for me every year as soon as it is released. However, the challenge with leveraging the current cost of data breach reports with the organizations I work with is that this type of research, when applied, would yield a graph of breach cost by size that is linear in nature.

My experience has shown that such a graph does not reflect reality. It’s far too simple. There are at least two major inflection points that aren’t accurately identified. The inflection points not identified in linear charts represent the escalation of awareness surrounding an organization’s breach.

All breaches will incur a minimum cost related to identification and remediation, essentially a minimum cost of entry. This entry point is followed by a flattening curve until the size of the breach hits its first inflection point. There are two additional thresholds that may cause a second and even a third inflection point. These thresholds relate to general public awareness and press coverage. The trigger for a second inflection point is where security nerds like myself pay attention, start talking about it, start writing about it, and begin using it as examples in presentations, podcasts and blogs. A third inflection point is triggered when a breach becomes big enough news that it hits the mainstream and everyone becomes aware of it. You can use different logical tests to determine whether a breach has hit mainstream, but I like the non-technical family member test. This is when my least security-minded or technically inclined family member or relative starts asking me about a breach. At that point, I know it is a mainstream event.

The existence of the inflection became apparent as I was reading an entertaining report in USA Today about the top 20 most hated companies in the United States. As I scrolled up the list from the bottom, I passed Harvey Weinstein’s company, airlines who beat and bloodied their passengers, and companies who have had various public relations disasters. In the number one spot I found Equifax.  It should be noted that Experian and TransUnion were not on the list, so one can assume that the respondents did not have some irrational vendetta against credit reporting agencies who may have contributed to them being declined for credit cards, car loans, home loans, etc. Equifax is the most hated company in America because of a data breach. Another article was about how Equifax, as a publically traded company, had lost 31 percent of their marketplace capitalization totaling over $5 billion, a measure of the value of their company, since the breach. That is a ridiculous cost. (

Another fun research project you can do to start looking at the costs of data breaches that indicate inflection points that increase the cost of a data breach relates to Target. If you review Target’s top line sales in Q3 the year of the breach and Q3 the year after, you will see a decline in sales of more than $1 billion, or 20%, in an industry sector that actually grew during the same period. While the initial breach potentially only occurred over a set period of time, the organization is still feeling the effects much further out.

Both of these examples and subsequent inflection points indicate general awareness, from the initial discovery by the organizations, to industry insider knowledge, to general public awareness and eventual broad media coverage. One can also assume that if an organization does not properly disclose, does not know the extent of a breach, or isn’t forthcoming with information to the public, the additional negative publicity will increase the indirect costs related to a breach.

If a CIO, CISO, or another person responsible for maintaining data security is only providing damages associated with a cost per record to the rest of the executive team, the executive team or board may not be thinking about, or be able to visualize, how different types of incidents would monetarily affect the organization. To do so, you must account for different categories of incidents and what the inflection points represent. A minimal event, which won’t gather any attention outside the organization, and are often accidental and can be significantly reduced from happening by utilizing commonly available security tools. Minimal events, depending on the industry, may not be required to be reported externally.

The second type of event is one that contains more records and will gather the attention of people like myself, but not necessarily the mainstream press. This category is where organizations start to evaluate brand impact and public relations activities, and where the cost per record starts to increase. An example of this is Deloitte. Most security professionals are familiar with the Deloitte breach, but most non-security people, unfortunately, couldn’t give you much, if any, detail about the breach. The final category is a breach that would make the nightly news and have a major impact on enterprise value. The majority of companies in the world do not even have enough data to have a breach rise to this level, however, for those that do, there are few security expenses that are not justified if they can materially impact the likelihood of such an event occurring.

I am not laying this out to say that companies should hide incidents from their clients, but to illustrate that costs associated with events are not equal, or follow a linear path. The type of incident, its size, overall impact, and the mitigation process all affect the actual cost of a breach. While this is not the fully built ROI model I had hoped to present, I hope this post helps frame the conversation properly with executive teams and boards you may interact with. It is frustrating when all of the conversations revolve around cost per record when it is really not that simple. It’s equally frustrating for security vendors to come into client environments waving the banner of Equifax, Target, or GDPR to try to scare executives into action.

As a security professional, I strongly believe the work we do is vital for individual property rights which does no less than preserve the way of life associated with capitalism and individual freedom. I also believe that well-crafted security programs intelligently designed to mitigate the right types of risk are a good investment. If you accept both of those statements as true, we must spend more time trying to build and perfect realistic investment models and less time cheapening our mission by sowing seeds of fear, uncertainty, and doubt. All of that starts with calculating the true cost of a data breach. Now, back to building that ROI model I alluded to.