| |
SECURITY INSIGHTS ARTICLES |
|
|
 |
From One CSO to Another: Reputation Management
By Martin Carmichael, McAfee chief security officer
CISO, CISSP, CISM, ISSAP, ISSMP
A shortened version of an article that appeared on CSO online:
http://www.csoonline.com/caveat/022707.html
New forms of computer threats are emerging faster than ever before and have stirred attention at the highest level among worldwide regulators, industry bodies and heads of global corporations. According to Gartner, regulation will remain the greatest driver for proactive spending on information security and risk controls through 2010. IDC predicts the worldwide security compliance and control market will grow to $14.92 billion by that same year.
On a financial level, data breaches can be devastating. Take the recent case of U.S.-based CardSystems, a payment processing organization that failed to secure customer and financial information, resulting in millions of dollars in fraudulent purchases as banks were forced to cancel and re-issue thousands of credit cards. On top of this, consumers experienced serious inconvenience and financial uncertainty, as reported by the Federal Trade Commission (FTC). The damage to CardSystems’ reputation was such that it was soon forced out of business; major customers, including Visa, refused to do further business with the company.
Breaches can also damage customer loyalty. In banking, for example, a 2006 study by the Ponemon Institute showed that 34 percent of customers would change their bank after one breach, and 45 percent would leave after two breaches. If customers start to ask whether their details have been lost, or partners fear that commercial secrets could have been leaked, then relationships and contracts can collapse.
Personal risk
While security breaches clearly present a threat to the reputation of a business, what about the personal risk to you as the CSO? If you’re not able to quantify your security initiatives, chances are that your CIO is approving them based entirely on your reputation, which can be dangerous. Why? Because even loose association with a significant security breach, if not managed correctly, can have a severe impact on your personal reputation.
As a general rule, falling foul of a computer threat can be excusable — once. So if you do suffer a breach, remember this: Demonstrating responsibility can be the difference between keeping your job and losing it. If an investigation proves that you could not have foreseen any problems and that you took reasonable security measures proportionate to the potential threats, your reputation will remain intact. Evidence is what counts.
So how do you quantify those security initiatives to protect your company and yourself? The good news is that thanks to advances in technology, it’s now possible to provide a baseline for security. However, when it comes to justifying the necessary expenditures, the reality that most of you face when speaking of SQL Slammers or spyware to many managers and executives is that you may as well be speaking the lost language of the Incas. Business executives just want to know what difference IT security makes to the bottom line, so it’s your job to effectively translate your messages into language they can understand.
In some ways the publicity surrounding major breaches can be to your advantage in the justification process, as news of high-profile computer threats is raising awareness to the board level. And board members now know they can end up in jail if regulatory compliance requirements aren’t obeyed, so demonstrating compliance will go a long way toward justifying IT expenditure.
The position of the modern CSO is a measure of the importance and the success of IT in business. However, with that success comes responsibility. But if the security buck stops with you — and it does — there’s no need to panic. Although attacks will continue as a fact of IT, if you make the right technology decisions you can reduce the risks not only to your company, but to your personal reputation.
|
 |
| |
