The Price of Poor Security?
Given the recent spate of breach announcements from companies like Monster.com and TradeFreedom Securities Inc., I've been thinking about how poor security is going to impact organizations and consumers over the next few years.
Even though there have been an increasing number of attacks over the past 18-24 months, and even though the severity of the attacks is getting worse, consumers and private citizens don't seem to be too troubled over these incidents, because the relationship between the attacks and actual personal discomfort has not been apparent for many. And to some extent, many folks see these attacks as inevitable.
They aren't. Or, rather, they don't have to be. There are many reasons for security issues, but many of them can be avoided or considerably mitigated by applying the right combination of people, process and technology -- diligently.
What would be useful for us is to have some publicity when a company does security correctly, and manages to successfully defend against an attack of some sort. The problem with this suggestion is that it would draw undue attention to the organization in question, and make them a more definitive target -- essentially, increasing their risk profile. So, the companies that are doing it well, are going to want to keep that success under the radar.
What we will have to settle for, instead, is free-market punishment of those organizations that perform security poorly. Yes, we live in an increasingly online world, but we should still be able to expect a measure of security and privacy for ourselves. Companies that don't do this need to feel the loss as customers move to other firms that clearly share these values. This would provide a clear incentive to organizations to treat security with the respect that it deserves, and apply the necessary resources to doing it right and doing it well.
This brings us back to Monster.com. I wonder who many people actually stopped using Monster as a result of the publicity surrounding the breaches, and how many of those will stay away when the publicity dies down? Or have we all just rationalized the issue as inevitable? "It could have happened to any of the others..."
For that matter, I wonder if any of the other job boards are actually reviewing their own security posture right now, or if they're just saying to themselves, "it must hurt to be Monster.com."
I suspect that people are not going to keep burying their heads in the sand. As more breaches take place, more people will be directly affected in the form of Identity Theft, or increased hassles from changing out credit cards, etc. As a result, you can expect that just as the threats have changed over the past few years, forcing consumers and average citizens to become more savvy about technology, so too, the tolerance for poor security will change, and companies will confront a more diligent public, expecting them to keep private information private.
Companies need to get ahead of that curve by looking at the risks associated with poor security from the standpoint of long-term damage to the brand, and not simply from a short-term cost perspective.
At the end of the day, it is not possible to avoid paying for security -- you either pay n dollars up front, or you pay 4n dollars, plus PR and brand rehabilitation costs. Pay, or pay big. Those are the options.
The public is tired of bearing the brunt of poor security -- or, they will be any day now...
Technorati Tags:
Security,
Business
About Logik!
Andrew S. Baker aka ASB aka Logik!
Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.
Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.
For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.
His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers,
Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...
A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.