Rallying Support For Security Investments

March 7, 2012

New Method for Quantifying Breach Costs, Justifying Spending

By Howard Anderson

Because winning the support of CEOs for any new project requires demonstrating a return on investment, information security professionals need to more precisely quantify the potential payoff of their suggested spending on technologies and training, according to a new report.

Security specialists need help “putting together a business case to garner more investment in protecting sensitive patient information,” says Rick Kam, who led the PHI Project, which produced the report.

The study, “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” offers a plan for assessing an organization’s security risks and provides formulas for quantifying the potential costs of breaches that could result if those risks aren’t mitigated (see: Measuring Potential Breach Costs). In this way, security professionals can more precisely demonstrate how specific security investments could help avert specific costs, Kam says.

To view the original article please click here.

In an interview, Kam:

  • Describes how the American National Standards Institute’s Prevention and Identity Management Standards Panel collaborated with the Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance to create the report;
  • Outlines a five-step process for quantifying the potential costs of breaches, based on an organization’s risks; and
  • Tells how security professionals can use that breach cost information to help justify specific investments.

A free webinar describing the full report will be held March 21.

Kam, CIPP, is president and co-founder of ID Experts. The company has managed hundreds of data breach incidents for healthcare organizations, corporations, financial institutions, universities and government agencies. He has extensive experience helping organizations address the growing problem of protecting personal information and remediating privacy incidents, identity theft and medical identity theft.