ACES Faculty Member Featured in SecurityIntelligence Blog

news story image

Dr. Lawrence Gordon, ACES Professor of HACS 208A, Accounting and Economic Aspects of Cybersecurity, was featured in SecurityIntelligence’s Blog. The blog highlights the Gordon-Loeb model, a practical approach to budgeting and investing in cybersecurity. The Gordon-Loeb model wasdeveloped at the University of Maryland’s Robert H. Smith School of Business by Dr. Lawrence Gordon and Dr. Martin Loeb. ACES students taking Dr. Gordon’s class, HACS 208A, learn about this model and discuss the relationships among accounting, economics and cybersecurity. The blog, titled “Get the Security Budget You Need and Spend it Wisely,” is available below.

It’s challenging for a CISO to get budget for cybersecurity. Your board of directors really wants to spend that IT money on projects and solutions that will expand the business and bring in more revenue. That’s what your shareholders value.

As breaches become more commonplace, your colleagues and customers become desensitized to the potential impact of a breach, which can downgrade their sense of urgency to protect assets in advance. New CISOs sometimes report being given no security budget at all(link is external).

It’s less likely now that your company’s stock will fall significantly if you happen to have a public breach. This alone can lull people into a misguided, if not outright false, sense of security.

The reality is that the overall cost of a breach has been steadily rising(link is external), according to the Ponemon Institute. The cost of a data breach is composed of several things, including the cost of acting to reduce the impact, the loss of brand reputation and consumer trust, and even the cost of litigation.

So how do you show that there is value in investing in cybersecurity and justify a proper security budget? There isn’t an ROI in the way that most company accountants understand it. Much of the time you have to rely on your experience and judgment, as well as the competing claims of security vendors — none of which helps you build a compelling case when you are being asked to assess the return on the investment and tell the board members why they should spend their money on your security budget.

View the full blog featured on SecurityIntelligence.(link is external)


Published August 25, 2016