John PescatoreAs a species, we’ve been at physical security a lot longer than we have been working at information security. That’s why in information security there is a lot of teeth gnashing every time a security incident is made public: “Despite all we are doing, incidents still happen! Management doesn’t understand security! No one respects the CISO!” Yet, you never hear that when a bank is robbed, a car is stolen or a house is burglarized – and the real costs of those crimes far outweighs the real costs of information security incidents.
I often use the example of the retail industry. Retail typical averages shrinking losses – losses due to employee theft and shoplifting – of about 1.5% of sales, and they spend about 1.5% of sales to keep it at that level. That means roughly 3% of revenue has been found to be an acceptable level of loss. If increased security could reduce shrinkage to 1.4% but raise the cost to 1.7%, the business would have less shrinkage but even less revenue – not a good business decision.
Now, the retail industry does have to react to change – a good piece in CSO Magazine on how the economic downturn has driven shoplifting to increase, even though employee theft actually decreased. This caused the shrinkage rate to go from 1.44% of sales to 1.52%, after 6 years of declining. This equates to losses of $36.5 billion (with a B), which if I’m doing my ciphering right, means an additional $1.92B in losses – at a time when retail sales have likely declined anyway.
Yet, no teeth gnashing. No congressional hearings on shrinkage. No “shrinkage czars” being proposed. Just a lot of security people who will be working to get the shrinkage level back down to the historically acceptable business cost level.
Category: Uncategorized Tags:
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment