How To

Security's Real Value

Customer confidence is the payoff for a good information security program—if you market it correctly

By Richard Starnes

November 01, 2006 — CSO —

The Internet has changed how we live our lives—our banking habits, shopping habits, communication habits—and has also fostered a growing, globalized economy. However, with rewards come risks. Proper management of information security risks, such as denial-of-service attacks, identity theft and unauthorized alteration of data, has become critical to the livelihood of companies and individuals alike.

Most companies have in place an information security program. Some even have a CISO tasked with protecting the information-based assets of the company (though most do not). However, in many cases, the reason they have these programs and executives in place may be somewhat disingenuous.

Many companies take these steps simply to satisfy regulatory requirements or as part of good corporate governance. Shouldn't we look for a more business-related reason for such a spend? Is there a business case for information security beyond regulatory requirements and good corporate governance?

I would argue there is a very good business reason for information security: customer confidence.

Weaknesses in the security of information systems have led to hundreds of millions of dollars being lost to computer-assisted fraud and have inspired a lack of confidence in purchasing online. Your customers will not use online services if they do not believe they are secure. This is visible in consumer attitudes toward purchasing online. Many consumers cite security concerns—particularly identity theft—as the primary reason for not shopping online. In most cases, this attitude is not focused on one particular company (though having a publicly disclosed information breach isn't helpful). Rather, this attitude reflects on the Internet as a whole. In this particular case, the Internet is the sum of its

parts. For the Internet to reach its full commercial potential, we must give consumers confidence that their transactions and personal data are safe. Otherwise, your company is in the uncomfortable position of not being able to utilize the benefits of the Internet (lower transaction costs, ability to tailor marketing efforts, reduced real estate portfolio, broader customer reach and 24/7 availability, to name a few).

There is clear evidence in the United States of declining confidence in the Internet. For example, the Consumer Internet Barometer showed that in the first quarter of 2006, respondents' trust ranked at a lowly 25 percent. Webwatch reports that 80 percent of Americans said they are concerned that their identities could be stolen from personal information on the Internet and have changed their behavior because of this. In the United Kingdom, the National Consumer Council report "E-Commerce and Consumer Protection" suggests that e-commerce is not reaching its potential because consumers don't trust it, with 85 percent of adults considering High Street (the U.K. equivalent of Main Street) to be the safest place to shop and 35 percent (including 55 percent of Internet users!) stating the Internet is the riskiest place. And the Ofcom Media Literacy Surveys show that more than 70 percent of respondents do not view the Internet as a safe place for their children and most have little confidence in their ability to use the technologies available to help protect them.