Perilocity picks up the Gartner numbers comparing preventive data encryption +- HIPS:
"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Litan said in an accompanying statement. "Compare [that] with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach," she added.
This is useful stuff, but I can’t quite agree with Perilocity’s conclusion:
So if you split the difference and spend $10/customer on security as prevention, that stitch in time really does save nine stitches fixing it later. Prevention is good risk management.
This only works if you can either predict which of your laptops are going to be compromised, or you assume that more than 1 in 9 of your total laptops will be compromised.
Chris Walsh at Emergent Chaos has good details.
Update: I just realized that I’ve been assuming "laptops" all along, since the Gartner estimates initially made the news when Gartner testified before Congress about the VA debacle. The key denominator here is the customer account, and the security costs discussed are server-side costs. Obviously, my assumption is quite different from the scenario in the Gartner report. From what I can tell, the Gartner estimates don’t even include client-side security (encryption and/or HIPS), which means that the VA (or anyone compromised) would have spent the money for prevention against the wrong attack, then would have incurred the costs of the breach as well.