Data Security as a Business Case
Once we accept that reality, the next challenge is to acknowledge that a certain amount of IT risk is a part of conducting business. Risks also come in many different forms. I'm often asked which is worse -- regulatory, policy or compliance risk? I believe it may actually be reputational risk. Ask yourself what would be the impact to your company if data breaches led to negative press harming your company's good name? Think: Heartland.
Data Security as a Competitive Advantage
Your company's data security posture needs to be appropriate to the industry you're in. If your customers are in a heavily-regulated industry such as financial services or healthcare, your data security posture needs to meet their expectations as well. Having a substandard product, including a substandard security posture, will cost your company money.
Having a sub-standard product, including a sub-standard security posture, will cost your company money.
Most people consider their company's security department as a cost center, and never a profit center. Putting the necessary controls in place to appropriately safeguard sensitive data costs money, delays projects and -- in the minds of many executives -- will never add to the bottom line. The truth of the matter is that a well thought-out security posture can boost a company's profitability by providing a competitive business advantage. As companies such as banks, credit unions and hospitals are becoming more aware of their data risks - and regulatory responsibilities -- they are requiring service providers to show evidence of their data security practices. If your company is one of those service providers, being able to demonstrate a strong security posture puts you one step ahead of your competition. It can help you 'close the deal,' as it will give you a leg up over your competition that has a weaker IT security posture.
A thorough and well documented security program can also result in quicker audits with more favorable findings. The impact of a negative audit, whether it be from the OCC, SOX 404, or the result of a FISAP or Type II SAS-70, can force a company into playing catch-up for years in order to remediate the findings. The effort of having to fix problems is always more expensive than doing it right the first time. Simply put, you can build it for a dime, or fix it for a dollar. An audit report full of negative findings can keep you from closing deals.
Data Risk as a Business Decision
If you're going to accept IT risk in business, make sure there's an upside benefit to justify it. All too often, companies are using sensitive information in ways that unnecessarily expose them to risk. Ask yourself: Does your organization use Social Security Numbers as a customer identifier? When you consider the potential financial impact if a system containing Social Security Numbers were to get hacked, it makes for a very risky identifier. A company could simply create customer numbers that would serve the same purpose, with none of the risk. Remember, Social Security Numbers are mainly needed for tax reporting. Are you accepting millions of dollars of potential risk just because you don't want to update your databases?
Companies can further reduce their data security risks (and costs) by limiting the number of systems that house sensitive information. It's cheaper to secure a small portion of your network than the entire network itself. In addition to limiting the number of computers that sensitive data resides on, I recommend limiting the kinds of configuration that can be used. It's far easier, again cheaper, to support and secure a handful of different computer technologies than to try and support every type of system currently in existence.
The Security Zealot
I also caution colleagues about being security zealots. A company's security posture needs to be appropriate to the industry it's in, as well as to the data involved. All too often, security professionals will insist on total protection -- absolute security. To them I say, be vigilant, provide thorough and accurate risk assessments so that executives can make informed decisions. Keep in mind, however, that security, while very important, needs to partner with business without unduly hampering it.
Ask yourself, ultimately: Do you work for company that is security conscious, or a security company that as a sideline conducts business?
Philip Alexander is a 20-year veteran in the IT security field, currently employed by a major financial institution. He also is a professional speaker and the author of the books, "Information Security: A Manager's Guide to Thwarting Data Thieves" and "Hackers, Data Breach Disclosure Laws: A State by State Perspective, and Home and Small Business Guide to Protecting Your Electronic Assets, Privacy, and Identity." Contact him at firstname.lastname@example.org.