Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, June 01, 2007

Forget security and privacy: Focus on trust

Security and privacy are bad words with bad histories, evoking bad connotations with most enterprise stakeholders.  For companies to succeed at safeguarding their data, these words must go away.  Information security and privacy protections as we know them today are a response to the ills that have befallen enterprises over time.  Enterprises experience a problem or incident and don’t want it to happen again, so they find the most practical way to eliminate it or mitigate against it.  As a result, security and privacy practices tend to be restrictive.  Every organization uniquely figures out where best to place them-so long as the chief executive doesn’t have to be too bothered.  As a consequence, neither security nor privacy has been associated with the positives of most institutions or with their strategically important initiatives.  They are clearly not viewed as activities that will help enterprises gain market position, enhance their reputations or provide competitive advantage.

Money and investments focused on security and privacy are most often viewed as insurance premiums-to be kept to a minimum consistent with the negative risk experience of each institution.  Such spending is certainly not perceived as an investment for winning stakeholders, sustaining excellence or achieving market leadership.

But today’s world, where an increasing majority of institutions do business online using telecommunications networks that span the globe, security and privacy protections expressed in negative terms don’t make the grade.  They must adopt an approach based on winning the trust of all stakeholders-customers, employees, channel partners, contractors, vendors and shareholders all.

Trust means stakeholders feel safe in the hands of these enterprises and are confident in the secure delivery of their products and services along with protection of their private information.  Given the status of security and privacy today, the CIO is most often anointed as enterprise information security and privacy champion.  When stakeholders’ experiences with an institution consistently meet or exceed their expectations, these experiences build awareness, then breed familiarity and finally, earn trust-which inevitably translates into profit.

Amex provided its card members and service establishments with, at the time, a revolutionary new way to do business: They could execute secure and private financial transactions anytime anywhere in the world.  The linchpin of this model was and is the magnetic-striped card that identifies and validates individual card members and other authorized stakeholders to use the integrated global network.

A trust-based business model is also a natural extension of enterprises’ commitment to compliance with Sarbanes-Oxley (SOX) regulations and the transparency that results.  They need to create incentives for their executive management to create an operating model that earns stakeholders’ trust.  Companies will use trust to forge new alliances with stakeholders by guaranteeing secure and private interoperability.  And in doing so, companies will define competitive success in a global online real-time marketplace.

Posted on 06/01