We’re storing too much sensitive information, and our budgets are way too small to protect it. No surprise there. This problem is at the root of so many of the breaches and ransomware attacks filling the news cycle. Ask anyone working in data; they’ll talk your ear off about it.
What do we do about it? It’s only getting worse. The unfortunate reality is there are nearly unlimited targets that are easy and potentially devastating. We all know the symptoms, atrocious password policies, inexperienced (or cost-cutting) IT slip-ups, and – the bane of everyone’s existence –legacy systems never being patched or upgraded. Data security, privacy, and protection are rarely a priority until it’s too late.
The picture that comes to mind is an old IBM blade server shoved in a literal closet, set up ten years ago by the owner’s nephew, never patched once, and running the entire business.
The thing is, a Fortune 500’s data concerns are rooted in the same issue as that mental image—a failure to value data. The question isn’t how much you spend on storage and maintenance, but how much the data is worth. Why? The higher the asset’s worth, the more you’ll spend to protect it.
We’re not breaking new ground here; valuing data is often covered under risk management, a la CISSP. However, in practice, it’s rarely done and seldom given the necessary business attention.
Businesses make more money by either generating more revenue or spending less. What do you do with cost centers? Minimize them, spend as little as possible. With such cheap storage, the typical tactic is to store it all, just in case. The reality is businesses try to store the most amount of data possible while spending the least amount of money to protect it. If you undervalue it, you won’t spend enough. Do this long enough, and inevitably you’re compromised.
There are many fancy, complex methods for valuing data, but the concept is simple. It’s a combination of current and future – plus, how screwed you are when you get hacked. Cybersecurity 101 – it’s not a matter of how to value data, it’s why we should value it.
Where it gets interesting is when you expand data valuation beyond risk management. First, it’s an asset that’s great for enterprise value creation. It gives you a model to budget against for protection and future value forecasting. After that, a simple IRR will tell you if the new analytics project is worth it.
Second, is your product SaaS? Does it require data, does it generate data, probably both? It’s not a stretch to see how a clever CFO would have a field day. A sizable data asset carefully categorized could have a profound impact on margin.
Finally, the part that’s most often overlooked, the data you’re holding is a liability – both in a risk management sense and a financial liability sense. If your database is breached, it could cost millions. Part of valuing your data is detailing what would happen if it was leaked, held for ransom, etc. It’s a quantifiable amount you can budget against and insure. However, you may also be storing a ton of user data. That data has value, and in an increasing number of jurisdictions, belongs to the user. A bit like a bank, where users deposit cash assets, and the bank retains a liability to pay the user back. Mismanagement of user data can get you sued. Just ask Equifax.
Good luck trying to tell the CFO you have millions in overlooked liabilities. On the other hand, isn’t that the point? All of this hidden liability has resulted in underspending and threats galore. If you don’t want the liability, don’t store the data.
As long as we continue to undervalue data, we will underspend on protecting it. CPAs will push back, stating there is no official process or third party to assign value to data yet. They’re not wrong, but it doesn’t have to show up on the balance sheet for leaders to pay attention.