IBM Global Technology Services has released a follow on study to its Global Study on the Economic Impact of IT Risk which was done with the Ponemon Institute. The follow on study is called "Making the business case for business continuity and IT security." This report follows up on the original study with a more detailed survey. From the report:
"Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organization and report directly to the CIO or head of corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organizations with more than 5,000 full-time equivalent employees.
Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of statistically relevant differences."
In order to get down to dollars and cents, the survey respondents were asked to estimate the number of minutes of down time related to "minor," "moderate," and "substantial" events, estimate the total costs of that down time and the apportion those minutes across various categories of costs to the company.
There is a lot of detail in the report. One of the more interesting findings was that "minor" events had higher costs per minute of disruption than even major disruptions. But the bottom line summary from the report is from Figure 2:
The absolute numbers are huge!. You can quibble with the absolute numbers, arguing for instance, that a small business's costs form IT incidents is going to be smaller that thos incurred by a major enterprise. But I think the percentage breakdown is very interesting and probably holds across enterprises of all sizes. By far, the costs associated IT disruptions impact the business more than the IT organization. A staggering 75% of costs from IT incidents are business oriented losses, not technical costs to the IT organization. And the biggest of the business costs is damage to reputation and brand.
If that's not enough to make line of business owners stand up and take notice, I don't know what will.
Download and read the full report when you get a chance. This is a report that's worth diving into the details so you can make the business case for IT security and continuity.