How your company addresses security is often seen as a simple cost-value equation. You may not be aware that your customers may see it very differently, and how you approach information security today often influences how the public views your overall integrity whether you like it or not.
Back in the early 90’s, the US Customs Service treated information handling extremely seriously. Policies were regularly reviewed, access and activity continually monitored, and both physical and technological information security was nearly a fanatical exercise in dedication to detail and oversight. Apart from law enforcement though, few organizations even considered information security at all.
Over the past 30 years, I’ve seen some rather stark differences in how information security is handled within both the public and private sectors. Within each, the attention paid to it varies significantly. Local governments, for example, often lag far behind the private sector simply because there exists an attitude that they don’t need to bother with it as much. Much of this has to do with simple complacency, but conflicting information coming from state and federal agencies and compliance requirements are often vague and enforced differently every time the auditors show up.
My observations of the private and other public environments have been largely a mix of ambivalence, reluctance and poorly written regulatory mandates. Enforcement and auditing efforts are all over the map on consistency, comprehensiveness and adherence.
One example: CJIS standards enforcement in the State of Idaho for example is horrendous. Getting anyone from the state security office is an exercise in futility all by itself. I once called that office 15 times and waited for 4 months to get a simple answer when I asked for specifics regarding passphrase complexity requirements. Law Enforcement IT departments are often left to their own interpretations of CJIS requirements, and frequent changes in how the state reinterprets CJIS guidelines leaves them scrambling to become compliance with guidelines that then get delayed for years at a time.
The good news is that over the years, information security measures have grown and matured. The bad news is that this is only happening because recurring corporate and governmental security breaches have raised the public’s fear significantly.
When Sarbanes – Oxley hit after Enron, public companies scrambled to meet the minimum expectations and called that a win. Does this response sound familiar? “As long as these check-boxes are filled out, I’m good for another year.” Of course not all companies took this approach, and that’s where customer perception and their perception of your Integrity began to take a more prominent role.
One company actually considered anti-virus to be a luxury and declared at a department meeting one day that installing anti-virus software would be “something to look at for the future.”
That future became very real just a week later…
Their entire network became infected in a single event. 4 days later, 30 technicians working round the clock finally cleaned up the mess that had spread across their 5 facilities caused a significant impact on their business. Of course, being a Vegas casino, the public’s opinion of integrity was already low for the entire industry and public opinion of the particular quality wasn’t really much of a factor.
Can you imagine anyone taking that view today? It wasn’t that long ago that more than 100k of Idaho’s State Medicaid records went missing, so don’t think it doesn’t still happen.
Even Idaho Power had to learn the hard way. In their case, a mishandled hard drive became the source of some very public embarrassment as private customer information hit the Internet. Both of these cases created a public outcry and hard questions had to be answered and immediate changes became necessary.
And of course we can’t have this conversation without mentioning Target, or Yahoo just to name the most recent companies to have their shortcomings exposed in a very public way.
These examples highlight instances where a serious dedication to information security and information management could have saved many headaches. To be sure; the perceptions of those companies by their customers suffered significant setbacks as the level of trust and faith eroded overnight.
Do these examples reflect a failing of process? Was regulatory enforcement lacking? Could a more proactive approach to security have prevented it? Some would like to blame regulations for their own failings, and it’s a simple thing to say “We just followed the guidelines.” “We met the [minimum] requirements!”
They may be right and they may even have met certain minimum guidelines, but we should be taking a more proactive interest and not doing so will eventually lead to information security failures can reflect poorly on their integrity regardless of whether or not you’ve followed every regulatory guideline relevant to your industry. They can also lead to serious repercussions with their customers and even legal action.
When was the last time you did not question the integrity of a company being sued for failing to secure information?
Do you consider information security a matter of your personal integrity? You should…
Companies that take it seriously will foster an environment that links the integrity of their company with adherence to effective security policies.
These companies take pride in being proactive about how they serve their customer’s interest, and information security shows that in a very personal way. When your customer finds their health or other private records have been compromised, things get personal very quickly.
Your attention to data security within your business will be seen as a direct reflection on your integrity as a whole and how the public and potential customers view your integrity will always be a factor in their decision making whether you are aware of it or not.
If information security is still something that you “have to do” because you’re told you have to or only because some regulation says you have to, then you’ve missed the point entirely. We should take pride in that responsibility, we should link our own integrity to how we address information security.
When you take it personally and strive always to do better and achieve more you begin to do more than just meet and exceed regulatory guidelines. You also build trust and foster within your customers the understanding that your company has integrity, and values them and their information in a way that becomes personal to them too.