RealSecurity

Look at this phenomenon from an executive perspective. You run a business and use IT and information assets to achieve objectives and grow the company according to your mission. You implement security to protect those assets for three very basic reasons: 1) reduce impact to your consumers, 2) reduce impact to your company brand and value, and 3) reduce legal liability. Now, the question becomes, which one of these is most tangible from a negative impact perspective? Of course, the answer is “it depends.” Let’s walk through these.

Consumers typically have a short memory and will usually either persevere with the provider or move to a competitor. However, into today’s highly competitive market, consumers frequently shift providers for reasons that are not necessarily the result of an event or in control of the provider. This is why we see less metrics in certain industries for customer retention and more focus on customer acquisition. No company wants to lose customers, but it can be argued there are a number of non-security event related environmental characteristics that can have the same or greater affect, and have less control over them.

As an executive you want to ensure company value and brand. For some companies brand is everything, like Nike, Coke, Pepsi, among others. Then there are brand behemoths like P&G and Unilever. Brand is critical and for the giants, brand risk is distributed. So if one product takes a hit the public is typically unaware that the same or similar product has a different name from the same company. Corporate valuation, especially in publicly traded companies, is critical as well. Investors, individual and group, are going to make decisions based on the productivity potential of the company, which can be greatly influenced by a security event. Take as an example Heartland. Their stock value dropped 79% in days after the attack was publicized, and at the time of this writing stock value is 58% of its worth prior to attack, and only 38% of a three year average. Clearly, valuation and brand are important to an executive.

So, losing customers hurts and in really bad cases will hurt a lot. But in most cases, consumers have short memories, companies can acquire new customers through strategic marketing, and customer loss is – to a certain degree – expected and planned for already. So, we’re talking spikes more than anything. In short, painful, but recoverable. A decline in brand has the potential to be devastating… take the Tylenol example of 1982, it took years for the company to recover and resulted in massive changes to over the counter medicine packaging.  But, it recovered. Valuation can hurt a publically traded company and affect operations in many ways. But, many, many companies have survived their own crashes, such as Lucent going from the most widely held stock in the $80 range to well less than $1 in as little as a year. Nevertheless, there are numerous examples of where valuation dropped, but the company continued on successfully.

Then there is legal liability, not only for the company as a whole, but for individuals. ENRON was the impetus for SOX, but there were many cases of executives going to jail and companies imploding because of legalities long before ENRON, many since, and many more to come. Corporations have been dramatically impacted by legal implications. The legal process is extraordinarily expensive and resulting fines can be well into the hundreds of millions. Case in point, AEP finally settled in mid 2008 for $4.6 billion, plus the $15 million in civil penalties and the $60 million in clean up and mitigation. Legal liabilities are, in a word, expensive.

When it comes to legal liability it can be the root of loss of customers, brand, and valuation. Although customer loss hurts as does loss in brand and valuation, it is the legal side that carries the big hit and can impact the other two areas. As an executive, you don’t want to experience any of these situations, but I think many would agree that legal related costs and liabilities are of the greatest concern. Of course, there are different scenarios and executive interpretations may change with economic tidal shifts and industry movements, but suffice it to say legal ramifications are, or can be the most painful of the three deadly outcomes.

Therefore, when it comes to security, through the eyes of an executive who may be predominately focused on legal liability, plus brand, valuation, and customer confidence in a close second, they are going to start with, “What do I have to do?” Translated this means “What is the minimum requirement that I must invest in so that I can demonstrate due diligence in the court of law to minimize my legal liability footprint?” Interestingly, today, with charges based on negligence, the definition of exactly due diligence in security is not readily definable. Enter the state governments. Moving forward they are going to provide these expectations to which companies will rapidly gravitate to in order to minimize legal liability. State laws will become the cookbook to liability mitigation.

In the next and final part we’re going to talk about the end of the “security loophole” that was formed by compliance and will be killed by it. What implications will this have into the future?