Crisis of customer confidence to drive information security, writes John Colley, Managing Director EMEA, (ISC)2.
Over the last 12 months, human error, social engineering, and identity theft have eclipsed the focus on IT system vulnerabilities in the information security world. This can be partially explained by the maturity of information security practice – most companies have deployed at least the basics of information security technology. It is a logical next step that companies and government move on to acknowledge the human side of securing information. Further, the high profile data losses on the part of government and corporations that continue to dominate news headlines are serving to heighten public interest in data protection and information security generally. A crisis of confidence could well be set to take over the pressures of legislation in influencing information security management.
Years of investment and effort has resulted in a successful move to cashless online services and transactions for financial services, retail, national and local government, and more. Business models are adopting on-line processes as part of their mainstream operations at both the wholesale and retail levels. Marketing organisations have never been more effective at gathering information, profiling and targeting their customers.
Unfortunately, the same evolution has occurred in the criminal world. Concern over identity theft, for example, has and will continue to mount with news coverage of individual incidences. People are alarmed by the enormity of the potential loss to them, with emotional distress over such incidences having the potential to damage customer relationships permanently. Any company or government office wishing to transact online, even those with the most comprehensive and effective security measures in place, must now also recognise the need to invest in assuring confidence in these measures.
(ISC)2 research, including the 2008 Global information Security Workforce Study, the results first reported here at Infosecurity Europe, indicates an emerging emphasis on assessing risk to confidence in the organisation. Issues highlighted include improving customer and employee awareness, protecting the corporate brand, and concerns over issues related to privacy violations. These were cited as top priority by near three quarters of survey respondents. As has been the case with every study, influence and reporting structures are creeping up the management hierarchy, suggesting yet broader business concern.
Customers are clearly at the core of business concern. They are now more than ever aware of their personal risks, even if they don’t know what to do about them. They will have to be confident in the security of business practice if they are going to be confident in the organisation they’re doing business with. Analysis of the technologies being deployed by workforce study respondents shows growing investment in data-focused security measures, with cryptography and database security adopted by more respondents than wireless and vulnerability management technologies. But it won’t be enough for organizations to increase their security measures. Customers must be aware and even actively participate in what is being done. We have to ensure they clearly understand how to avoid errors and why they should act.
Business managers should think hard about what their processes communicate to their customers—do marketing campaigns, for example, suggest that sensitive customer or even account data is being shared widely across the organisation, or worse with outsourced call centres? Can they justify to customers what information they are working with and why?
It’s not out of the question to imagine the information security department and the certified professionals within it involved in front-line customer strategy as the governance of information security becomes highly customer-driven. When confidence in the company is at stake, can there be an alternative?
Diary date
Details of Infosecurity Europe 2008. Date: 22 to 24 April. Venue: Grand Hall at Olympia, London, now in its 13th year.
