Information security is an enabler for business. This has been a mantra for some time, and although it is repeated at major conferences, the reality is that the lack of good security practices is more a disabler.
Take for example the recent Facebook woes, one recent Facebook woes, analysis suggests that the #DeleteFacebook movement reached a peak of 60,000 mentions on Twitter. If we calculate the estimated average revenue per user, this equates to a maximum financial impact of US$360,000. That’s hardly significant.
However, that figure fails to recognise some major caveats such as the geographic location of each of these mentions (because US-based users generate more revenue for Facebook), and not every mention will lead to a deleted account. More telling is that Twitter as a platform is hardly ubiquitous, and thus is not the best barometer to determine intent.
Our demands for better security and privacy controls are often reflected in case studies in which the failings occurred “elsewhere,” and the failure to invest is then woven into the inevitable “I told you so” messaging. The CISOs unfairly take the blame as they update their resumes after two years. Surely this approach has to change. Information security’s ability to enable business depends on the value placed on good security and privacy practices by those buying the services.
Sadly, as in industries such as insurance, the value of information security is not apparent until something bad occurs. It is only at these times that the inadequacy of the solutions are discussed, and whether the antimalware product failed to detect a new variant of ransomware. This discussion completely ignores the thousands of variants the security solution did stop; the entire discussion focuses on the negative of how it failed to stop the one variant that criminals ran through a counter–security product service.
Our purpose is not to bemoan the issues we face but rather to consider how this vicious cycle of blame can be broken. Education is often cited as a tactic, but the reality is that cybersecurity is communicated day and night and is mainstream news. In reports of each major campaign the focus is on which country was behind the attack, and its perceived level of sophistication.
The real story, however, is the impact of a campaign. This story is not communicated because it is difficult to measure immediately. Yet this is the most important part of the story because failure to appropriately manage risk impacts investment and revenue. The effect on individuals can be considerably more damaging, as the Ashley Madison case demonstrates.
Developing a different narrative for the discussion is imperative. Some companies have already taken a position to consider what I hope will be the future expectations of data subjects. “How do companies make their money?” asked Apple CEO Tim Cook. “Follow the money. If they’re making money mainly by collecting gobs of personal data, I think you have a right to be worried and you should really understand what’s happening with that data.” If we can provide a transparent world in which we understand what and how companies manage and protect our data, then information security can finally be the enabler we know it should be.