This is a great read: Value of Corporate Secrets
Chief information security officers (CISOs) face increasing demands from their business units, regulators, and business partners to safeguard their information assets. Security programs protect two types of data: secrets that confer long-term competitive advantage and custodial data assets that they are compelled to protect. Secrets include
product plans, earnings forecasts, and trade secrets; custodial data includes customer, medical, and payment card information that becomes “toxic” when spilled or stolen.
We found that enterprises are overly focused on compliance and not focused enough on protecting their secrets. We confirmed that, indeed, increased collaboration increases data security’s importance, and that compliance pressures continue to be the motor that turns the IT security budget wheel. We also confirmed the conventional wisdom that,
75% of the time, data security incidents are attributed to insiders.
However, we also reached some surprising conclusions. Forrester concluded that not all enterprises are created equally. High-value firms manage information that is 20 times more valuable than low-value firms. And they are much more eager collaborators. As a result, the number and type of data security incidents experienced by high-value firms were four times higher, and the costs are nearly twice as high.
Key findings include:
• Secrets comprise two-thirds of the value of firms’ information portfolios.
• Compliance, not security, drives security budgets.
• Firms focus on preventing accidents, but theft is where the money is.
• The more valuable a firm’s information, the more incidents it will have.
• CISOs do not know how effective their security controls actually are.
Key recommendations include:
• Identify the most valuable information assets in your portfolio.
• Create a “risk register” of data security risks.
• Assess your program’s balance between compliance and protecting secrets.
• Reprioritize enterprise security investments.
• Increase vigilance of external and third-party business relationships.
• Measure effectiveness of your data security program.