Someone brought up the issue of security and we were talking about data loss and how best to try to protect data as an organizational asset. The peanut gallery was essentially saying that we had to have a limited number of platforms and software so that we could concentrate our defenses. Walt was responding that idea with the concept that people are the value creators for the organization and they know best how to be good at what they do. As such there shouldn't be any constraints placed on them from a technology perspective.
So the question is, do organizations have a tendency to over-value the cost of data loss? Walt thinks they do. I disagree with him on this issue. In fact, I think organization are still undervaluing the cost of data loss. My point is, that let's say we lose 400 social security numbers. There is a real actuary type of response to identify the cost of the lost SSNs. It will be some dollar value times the number of instances it was lost. But then the organization has to add to that the amount of good will lost.
In a market economy, if you take a company and add up all of the assets, intellectual property and cash you identify the value of the company. If you take the number of shares available and multiply that by the share price then you will identify the market value. In a lot of cases the market value is bigger than the value of the company. When that occurs the outstanding value is called good will.
I would argue that the loss of a bunch of SSNs has that first level cost of the loss of each number. But I would also say that they second level cost is in good will. So if, for example a bank lost a bunch of data then it would have to pay the damages to the people whose data was lost but then they would also likely take a hit in the stock price because people will lose confidence in the organization.
For an agency like mine we don't have a stock price so it is difficult to estimate good will. But I do know what it looks like to break the public trust. Look at the Veterans' Administration. A few years ago they had several high profile breeches of SSNs. If the public doesn't trust them to safeguard that information then it hampers the organization's ability to perform in its mission.
So I would argue that the public trust aspect, especially with a government organization, but also with a bank, a hospital, anything that is held in that regard, that public trust is paramount. It is key to continuing as a going concern for a company, and to survival as a government agency. If anything, I would say that we are undervaluing the cost of data loss, not over valuing it.
Tim, I agree with you that organizations do not know the cost of their data. In my corporate days I had the opportunity to ask the CFO what value he placed on the company's digital assets. He wouldn’t answer me directly but would defer to the company's insurance policies as a valuation for data replacement costs. I was stunned. Sure there was hardware to replace, but what about the customer databases and all of the documents stored on file servers and SharePoint servers? It’s amazing that only after someone has to pay for data breaches or recovery do the economic impacts hit home—but then it’s too late.
ReplyDelete