Every now and then you hear a vendor use the phrase, "the cost of doing nothing." This means: instead of trying to calculate a return on investment for a piece of software or hardware, figure out the worst-case scenario result of not buying a solution, and then estimate what that train wreck would cost.
If operations risk could be compared to a car, while they make an effort to maintain the car, "most banks don't think about the cost of lost opportunity if the car blows out in the middle of a freeway and you miss a deal," says Amad Fida, chief executive of the risk analytics company Brinqa. "What is the cost associated with that? If it happens, would you be able to survive?"
Brinqa has added cost-of-doing-nothing modeling to its tech and ops risk software. The original software analyzes a company's technology and operations infrastructure for gaps, such as software patches that have not been installed or antivirus software that is out of date. The software collects information about operations risk and security vulnerabilities from internal security tools, audit tools, spreadsheets and homegrown databases.
The new element Brinqa is adding to the software today attempts to attach a dollar amount to such holes, letting IT people prioritize operations risks and convince the business side to agree to cover the cost of fixing the most egregious ones.
The software considers the value of data stored in an app or process, for instance. "It could be a credit card, it could be health care information, it could be insurance coverage," Fida says.
These types of sensitive data are among those Forrester characterizes as "toxic data." "Some information is a valuable asset to the organization, but because it's valuable, it's also an attractive target for thieves or would be an embarrassment to the company if exposed," wrote Ed Ferrara, principal analyst serving security and risk professionals at Forrester, in a recent report. "This usually includes, but is not limited to, personally identifiable information, personal health information, personal cardholder information, and intellectual property."
Losing such records incurs a cost not only from the value of the records themselves but also from a recovery and damage-control point of view notifications need to be made, press releases may need to be put out, customers may need to be reassured by phone.
Brinqa crunches the worst-case costs to come up with an overall dollar amount associated with a technology or operations risk.
It can bring in external data sources as a frame of reference for banks that may have trouble quantifying their doomsday scenarios. For instance, it can access threat databases that show which banks have been hit with cyberattacks and the scale of those attacks.
However, such sources are limited, Fida says. "There has been a lot of effort from financial services firms toward sharing this information, but they fall short every time. For competitive reasons, banks don't want to share a whole lot."
In some cases, the cost of lost opportunity is hard to measure and is more of an estimate, Fida concedes. "The emphasis is not on being perfect and accurate, so much as having a way to prioritize," he says.
Technology risk is the easiest to measure a dollar value for, Fida notes. IT assets have clear price tags.
But all of this is a relatively new concept. "People have not been thinking along economical structures," Fida says. Two large banks have begun using the product, but they have not given permission to use their names.
The software is meant to make decisionmaking easier for businesspeople who don't understand technology. "Even if you tell them there's an 88% chance of a data breach, that doesn't tell them whether they should fix it or not," Fida says. "But if I tell them the cost of not doing anything is this much, and if you want to go all the way and fix it, it will cost X amount, they can very easily decide this is a decision they want to make." Or don't want to make, if the cost of doing nothing is lower.
This fall Brinqa will add several new elements to the software, including enhanced visualizations for mobile, tablet and desktop devices; assessment and survey tools; new connectors; business intelligence to create user-defined dashboards and reports; and compatibility with mainframe operating systems such as IBM Z/OS, and z-Linux platforms.