This column is aimed at C-level personnel, as well as senior and middle management. If you are an Information Security professional, this column is for the people above you, upon whom the ultimate responsibility of enforcing your security policy rests. It will explore the responsibility which the officers of a company hold to their customers, in an effort to communicate big-picture relevance of security to non-technical personnel.
Criminals care more about your customers’ data than you do – why else would they undertake such great efforts and go to such great lengths (and at great personal risk) to obtain it? Simple: your customers’ data is even more valuable than that of your company to Internet-based criminal enterprises. Putting aside situations involving targeted espionage, your customers’ private data is the main target of any intrusion into your corporation by nefarious actors. Your company’s data is largely worthless, especially in the retail and service industries: customer data holds the true value to your criminal adversaries.
The prevailing attitude in the C-level community towards data breaches is primarily one of damage control – prevention takes second chair. This mentality is not only harmful to the consumer, but to the business as a whole. As high-profile breaches such as Target, and now Home Depot, continue to make headlines, ever greater scrutiny of your corporation’s Information Security disposition will result. The public has a thirst for scandal, with technically literate professional blogrolls ready to pounce on any mistake you make.
When considering the role of Information Security and its importance to your corporation’s profitability, the impact of a data breach on customer disposition to your firm must be fully considered – as the Target breach so clearly illustrates with significant quarterly losses and the resignation of the CIO and CEO, failure to protect your customer data may (and likely will) cost you dearly both financially and in the court of customer opinion.
To cut corners with your security policy, to under-budget your Information Technology department, to hire unqualified personnel, or to simply consider these threats to be existential, sends the following message to your customers:
“Criminals care more about the security of your personally identifying information than we do.”
Trust, But Verify
The realm of Information Security is broad, encompassing everything from policy and implementation audits to forensics and incident response – these varied areas require skillsets in both the general and specific, and each with their own career focus. Despite the differences in the technical skills required for each area of discipline, one particular concept traverses any separation of duties: Upholding the public trust.
Information Security professionals are in a particularly sensitive position, one in which the trust of shareholders, officers, managers, employees, customers and regulatory bodies is placed upon them, not only in a functional role, but as an individual with a name, face and professional reputation. The professional reputation of the individuals tasked with protecting your organisation and customers rests with their technical skills, level of dedication, and sense of personal responsibility towards their duties. To compromise any of these may mean career suicide – as a result, you will rarely find a more serious individual to engage in meaningful dialogue about the risks your organisation faces, than your own Information Security staff. These individuals are one of your firm’s greatest assets: utilise them effectively.
To uphold the public trust requires the discipline to properly and thoroughly execute due diligence – failure to do so results in the compromise of personally identifying information. While the exposure of such data to criminal elements may not necessarily mean the end of your business, it may instead mean financial difficulties, loss of income or savings, identity theft and, potentially, personal financial ruin or worse for your customers: they do not enjoy the buffer of company assets, the golden parachute, or the limited liability of a corporation to protect them from such financial harm.
Your business depends solely on the money your customers infuse into it – without them, you are nothing. Your customers provide you, your employees and your shareholders with the money necessary to continue operating. Your customers provide you with industry leading (or failing) status. Your customers provide you with a positive or negative image in the public sphere. In short, your customers are the life of your business, and their private data is your organisation’s lifeblood. Failure to protect it means profitability hemorrhagia: criminals will bleed your customers dry, leaving them in a state of distrust and without the means to purchase your product.
Sales, Security, Sophistry
You, the executive, are also a salesperson: your pitch to the board of directors is also your pitch to the general public. When questioned about the security posture, disposition and capabilities of your organisation, are you prepared to give truthful, meaningful and detailed answers? Are you confident that you didn’t cut corners to save some cash? Are you confident that the personnel you hired are qualified for their roles? Have you hired third-party security auditors to ensure due diligence in each security domain? Have you ensured compliance with all appropriate regulatory bodies? Have you done your own due diligence to ensure your customer’s data is as safe as technically feasible? Would you store your own personally identifying info in your own customer database, without fear?
If the answers to the above questions are “Yes”, your sales pitch to customers may honestly include the value-adding concepts of a sound security strategy and implementation, bolstering the trust of your customers, the strength of your brand and the profitability of your organisation. Protecting this data is in the interest of both your corporation and your customers: it is much easier and cheaper to spend money on preventative measures than it is to suffer plummeting market value and customer loyalty after a data breach.
If the answers to any of the above questions are unknown or unaddressed, the consequences are that your sales pitch is an empty release of hot air; you are lying to your customers, lying to your shareholders, lying to your employees, and lying to yourself. Your pitch is filled with buzzwords, meaningless platitudes and outright lies, whose fragile framework will collapse the very moment a qualified security professional picks your statements apart on their blog. Failure to perform due diligence on your part means a failure to ensure the success of your brand.
Irrespective of your corporation’s public or private status, the trust of your customers becomes the public trust: care for your customers and they will care for you. Betray the trust of the public, and the public will ensure your downfall.