Security is about protecting a company’s brand and trustworthiness amongst consumers and business partners, and once security people begin to understand that, it will be easier to justify their continued existence and budgets.
Mary Kirwan, CEO of Toronto-based Headfry Inc., said security is intimately tied to the brand value and the perception customers have of a company. Security protects a company’s brand value by imparting to customers the idea that the company is trustworthy enough to do business with.
“A brand is a promise to the customer,” Kirwan added. “If you have customer’s private data, the promise you make to them is that you will do no harm to that data. If you handle data badly, it will affect your brand and the value of your company.”
Kirwin pointed to Choicepoint Inc., an Alpharetta, Ga.-based identification and credential verification services provider, as an example of a company that has recently been in the news after identity thieves gained access to customer’s personal information. “The security breach there has already affected ChoicePoint’s brand and image amongst customers.”
Because security is so tied to brand, Kirwan said security professionals must move away from talking about security as a function of technology.
CEOs and board members often do not understand, or care to understand, what a firewall is but they do understand that if a security breach occurs it can cause a loss in stock value, fewer customers buying the company’s products or services, or even a loss of existing customers to the competition.
Stuart McClure, vice-president of risk management product development with McAfee Inc. in Santa Clara, Calif., agreed that security is very much tied to protecting the brand and revenue of a company. He points to The Walt Disney Company, which has metrics telling the executives how much a crisis such as Mickey Mouse getting an arrow shot through his ears will affect the company’s stock price.
McClure said CSOs and others in charge of security must begin to use credible metrics to make the business case for security. He suggests CSOs move away from the standard qualitative measures of security, like making sure that a company has firewalls and antivirus systems in place, to quantitative measurements that can give a more accurate picture of what is secure in a company’s infrastructure. Quantitative measures are consistent, he said, adding that enterprises can repeatedly check such measures to see if improvements are being made on identified security problems.
“A CEO or CIO wants to know in a credible way how safe are they from attack or how compliant the company is to regulatory requirements,” McClure added. “With quantitative metrics, you can measure everything in the company, see what is critical to protect, take steps to tackle the problem and then test and even retest things to make sure you are secure.”
McClure said using quantitative measurements can also help better identify which assets and systems are most valuable to a company’s business and therefore need to be protected. He added that too many CSOs and security people try to protect everything at the same high level of security. That is not a good use of resources, he said.
“If the box tracking your excise revenue is not as critical to the company as the box that is actually making you money, you need to be able to tell (the board) the cost to the company if that box making you money goes now, and what it will mean to your company’s brand,” McClure said. That is quantitative.
Chris Anderson, a partner with the Toronto-based Grant Thornton LLP said having strong metrics is key not only to justify security budgets to the board but also to make sure the company gets the most bang for its buck.
Anderson says too often a poor understanding of security needs within a company leads to money being misallocated or too much being spent on fixing supposed security problems. The biggest mistake is when security people assume every security problem requires a technological fix. “You have to look at technology as to whether it addresses a business need or whether you have a process that needs fixing,” Anderson said. “If you are still using ‘password’ as your password, then going with the latest technology wing-dingy with Bluetooth is not going to help.”
By better identifying which security problems technology can address, security people can then take the next step of identifying the technology best suited to fixing the problem. This means narrowing the list of possible vendors down to only those who have proven solution track records for fixing the problems facing the company, Anderson said.
This approach also prevents the person in charge of security from becoming what he called a ‘cushion,’ — someone who “retains the impression of the last vendor who sat on him.”
Anderson also recommended that security managers ensure products function under duress. “If your security product does not work when it is having a bad day, then it is not a good security product.”
Quick Link 056560