Cybersecurity and Costs
Cybersecurity Costs
By Charles Parker, II
I have consulted with a company recently. They were reviewing the ISO27001:2022 certification. This,
depending on the circumstances, could be a heavy lift or not too bad. This is entirely dependent on the
environment. After the initial review and recommendation, the first comment was the business didn’t
have the budget for the tools, staffing or anything. This left me a bit confused, as the certification
process is not inexpensive.
This reminded me of the budget process. The C-level and senior management don’t at times understand
security’s role. They instead think like an accountant and try to arrive at an ROI (Return on Investment).
This has the propensity to be very difficult. When you try to commoditize this, there are problems.
When I hear this, my thoughts run to how much would a network compromise cost with the additional
ransomware thrown in for good measure, even with cybersecurity insurance? How much would it cost
for your connected medical devices to be breached and malicious code put in the firmware, with three
or four patients feeling the effects?
There are the direct costs, of course, but also the indirect cost of reputational risk. These are a few
things to think through.
About the Author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries