[BreachExchange] Information security can enable business as soon as we change the conversation

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 10 18:59:49 EDT 2018


https://www.helpnetsecurity.com/2018/04/10/information-
security-enable-business/

Information security is an enabler for business. This has been a mantra for
some time, and although it is repeated at major conferences, the reality is
that the lack of good security practices is more a disabler.

Take for example the recent Facebook woes, one recent Facebook woes,
analysis suggests that the #DeleteFacebook movement reached a peak of
60,000 mentions on Twitter. If we calculate the estimated average revenue
per user, this equates to a maximum financial impact of US$360,000. That’s
hardly significant.

However, that figure fails to recognise some major caveats such as the
geographic location of each of these mentions (because US-based users
generate more revenue for Facebook), and not every mention will lead to a
deleted account. More telling is that Twitter as a platform is hardly
ubiquitous, and thus is not the best barometer to determine intent.

Our demands for better security and privacy controls are often reflected in
case studies in which the failings occurred “elsewhere,” and the failure to
invest is then woven into the inevitable “I told you so” messaging. The
CISOs unfairly take the blame as they update their resumes after two years.
Surely this approach has to change. Information security’s ability to
enable business depends on the value placed on good security and privacy
practices by those buying the services.

Sadly, as in industries such as insurance, the value of information
security is not apparent until something bad occurs. It is only at these
times that the inadequacy of the solutions are discussed, and whether the
antimalware product failed to detect a new variant of ransomware. This
discussion completely ignores the thousands of variants the security
solution did stop; the entire discussion focuses on the negative of how it
failed to stop the one variant that criminals ran through a
counter–security product service.

Our purpose is not to bemoan the issues we face but rather to consider how
this vicious cycle of blame can be broken. Education is often cited as a
tactic, but the reality is that cybersecurity is communicated day and night
and is mainstream news. In reports of each major campaign the focus is on
which country was behind the attack, and its perceived level of
sophistication.

The real story, however, is the impact of a campaign. This story is not
communicated because it is difficult to measure immediately. Yet this is
the most important part of the story because failure to appropriately
manage risk impacts investment and revenue. The effect on individuals can
be considerably more damaging, as the Ashley Madison case demonstrates.

Developing a different narrative for the discussion is imperative. Some
companies have already taken a position to consider what I hope will be the
future expectations of data subjects. “How do companies make their money?”
asked Apple CEO Tim Cook. “Follow the money. If they’re making money mainly
by collecting gobs of personal data, I think you have a right to be worried
and you should really understand what’s happening with that data.” If we
can provide a transparent world in which we understand what and how
companies manage and protect our data, then information security can
finally be the enabler we know it should be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180410/d95dfe32/attachment.html>


More information about the BreachExchange mailing list