The Barbra Streisand Model of Risk Management

By Patrick McCulley |


As so many dedicated technical professionals write columns directed at an audience of their peers, this column and its successors are intended to communicate easy-to-understand relationships between aspects of security concepts and business models in ways that business-centric personnel can easily grasp, enabling them to effectively employ these strategies to the benefit of themselves and their customers.

Security Rainman: Counting Risk

Calculating risk can sometimes be a tricky venture  some risks are easy to quantify and their detrimental effects obvious but other risks, existential in nature, present a more difficult assessment. Key factors to accurately judging the risk posed to an organisation include all manner of statistical observations: the impact of downtime on quarterly earnings, likelihood of a breach, the type of data at risk, the intrinsic value or sensitivity of the data – a comprehensive risk report for an organisation will typically include exhaustive examinations of the larger strategic picture of its security posture in combination with the critical needs of the business.

Mentally keeping track of the cards in play during a game like blackjack or poker can be challenging for even a seasoned analytical mind: many other factors also influence the outcome of the game (such as if you are caught counting cards). With 52 unique playing cards in a standard deck, the cards may be grouped according to Set Theory: Cards share traits such as suit or number, but no combination of the two, meaning each card is truly unique. The same is also typically true of the types of threats and the risks posed by these threats to any organisation. To properly identify, assess and remedy each item without disruption to business operation requires both the technical understanding of the threat and the real world experience to understand its potential impact.

Just as counting cards requires a particular type of mind to perform effectively, the strategic and granular assessment of security risks and remediation measures requires the same type of mind, the natural big-picture strategist.

A security assessment which is detailed, granular, comprehensive and categorically relevant to your business is difficult to produce. It requires systematic and comprehensive information gathering and testing. When vetting potential contractors for such a task, ask for examples of their prior work. Beware of reports that speak in broad generalisations without technical substance and which contain purely technical information without detailing its business impact. Consult multiple professionals or vendors if necessary, and ask them about each other. Competent individuals should be able to provide you with sanitized examples of their work, illustrating the comprehensiveness of their findings and strategic approaches to remediation.

The extreme importance of properly vetting personnel before engaging them in ventures as vital as security cannot be understated: Qualified individuals produce detailed, comprehensive and methodically analysed security assessments which allow your business to appropriately identify and mitigate as many threats as possible in a strategic and comprehensive fashion. Unqualified personnel are a risk, a liability and a potential PR disaster all rolled into a single package – if work is not properly performed, it will inevitably lead to failure. Imagine the losses and damages incurred if you are told a security flaw has been fixed, only to have it exploited the following month, exposing your customer database to the world.

Barbra Streisand: The Great Equalizer

Statistically, people communicate more to others about a negative experience than a positive one. This behaviour has been statistically supported in customer service studies for decades and is a critical factor in determining the longevity of a corporation: the more unhappy your customers are, the less likely they are to recommend you, and the more likely they are to steer other potential customers away from your business. This behaviour is especially impactful when combined with a relatively new emergent behaviour made capable by the Internet: The Streisand Effect.

In 2003, photographer Kenneth Adelman was sued by Barbra Streisand for $50 million (about €36.73m at today’s exchange rate) in an effort to remove pictures of her home from his website. Adelman had been taking photographs for the California Coastal Records Project, tracking erosion of beaches. Adelman posted information about the lawsuit on his website, which quickly spread to the websites of fellow photographers and outraged private individuals. The news spread with the speed of a viral epidemic, causing an irreversible spike in attention to the pictures of Streisand’s home.

Her attempt to suppress the information resulted in its wide dispersal, publication and visibility. In short, attempts to suppress information or cover up wrongdoing only increases social media exposure to your actions.

The Streisand Effect claims many victims in the Information Technology and Information Security realms – even security firms themselves are vulnerable. When an organisation takes an action to protect its interests, considerations about public perception must also be factored in when it comes to risk management. Attempting to coerce, suppress or otherwise force the hand of those involved will doubtlessly harm your firm’s reputation, especially when the topic of discussion is the integrity of your customer data. Bad news, unhappy customers and public scorn travel at the speed of Twitter.

When assessing the risk posed by elements of your infrastructure, remember to account for the Streisand Effect: if your firm attempts to suppress news of a data breach, to deny that a breach happened, or falsely claim your business has taken all appropriate mitigating measures, the situation is likely to blow up in your face. As Information Technology and Information Security professionals pick apart the statements in your press releases, they will discover every hole in your story, every flaw in your methodology, and every contradictory point. These experts will highlight your malfeasance on their websites and in editorial columns. Their readership will comment, as well as act: if they are unhappy with your firm, those potential customers may steer additional business away.

As your firm attempts to suppress information, it will simply explode into the wild, beyond your control, causing additional harm to your organisation’s reputation. As seen recently with Target, the negative press associated with the corporate missteps in Information Technology and Information Security has had a devastating effect on customer loyalty, brand strength and quarterly earnings, culminating in the resignation of Target’s CIO and CEO. Rightfully so, the leadership in any organisation will bear the full responsibility of security events.

When reviewing a risk assessment report from a security consultant or from your own on-site security staff, envision the potential impact of each scenario and its perception in the public sphere. How would the exposure of your customer database affect company image? How would you deal with the fallout? Consider an approach which proactively addresses security needs, building a sound security strategy into both your corporate philosophy and operational models alike: your employees will follow your example, but it’s up to you to set it.