Most companies have an information security programme.
They may even have a chief information security officer to protect
their information-based assets, though most do not.
However, in many cases, the reason they have those programmes
and information security executives may be somewhat
disingenuous.
Many companies have those programmes in place to satisfy
regulatory requirements or as part of good corporate governance.
That is reason enough.
A business reason
But as business people shouldn't we be looking for a more
business-related reason for such a spend rather than chalking it up
as the cost of business?
Is there a business case for information security beyond
regulatory requirements and good corporate governance?
I would argue there is a very good business reason for
information security beyond the regulatory issues.
Weaknesses in the security of information systems have led to
hundreds of millions of pounds being lost to computer-assisted
fraud and a lack of confidence in buying online. Your customers
will not use online services if they do not believe they are
secure.
Many consumers cite security concerns, in particular identity
theft, as their primary reason for not shopping online.
In most cases this attitude is reflective of the internet as a
whole, rather than one particular company, though having a publicly
disclosed information breach isn't helpful.
For the internet to reach its full commercial potential, we must
instil confidence in consumers that their transactions and personal
data are safe.
If consumers do not feel they can protect themselves and do not
feel that we as suppliers can protect their data, they will not
make purchases on the internet - or at least not in the volume
they would if they felt protected.
Changing perceptions
We need to work to change that perception, so we may tap this
under-utilised portion of the market. In order to do that, we must
have the resources and executive management backing to develop
security programmes that not only protect the company's assets but
foster consumer confidence and add to the bottom line.
In addition to a sufficient information security programme, a
way forward would be to utilise that programme from a sales,
marketing and public relations perspective.
If a consumer is hesitant to buy a product online, they would be
more likely to buy if they knew their prospective supplier was
taking steps to ensure the safety of their personal data.
A marketing campaign surrounding the company's information
security programme would not only enhance the reputation of the
brand but add to the bottom line.
If you are not proactive about marketing your information
security programme to your customers, your competitors might
be.
Richard Starnes is a security consultant and president of
the Information Systems Security Association
Have your say
If you have an opinion about this or any article in Computer
Weekly, e-mail
computer.weekly@rbi.co.uk
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats