Security's Real Value

Customer confidence is the payoff for a good information security program—if you market it correctly

The Internet has changed how we live our lives—our banking habits, shopping habits, communication habits—and has also fostered a growing, globalized economy. However, with rewards come risks. Proper management of information security risks, such as denial-of-service attacks, identity theft and unauthorized alteration of data, has become critical to the livelihood of companies and individuals alike.

Most companies have in place an information security program. Some even have a CISO tasked with protecting the information-based assets of the company (though most do not). However, in many cases, the reason they have these programs and executives in place may be somewhat disingenuous.

Many companies take these steps simply to satisfy regulatory requirements or as part of good corporate governance. Shouldn't we look for a more business-related reason for such a spend? Is there a business case for information security beyond regulatory requirements and good corporate governance?

I would argue there is a very good business reason for information security: customer confidence.

Weaknesses in the security of information systems have led to hundreds of millions of dollars being lost to computer-assisted fraud and have inspired a lack of confidence in purchasing online. Your customers will not use online services if they do not believe they are secure. This is visible in consumer attitudes toward purchasing online. Many consumers cite security concerns—particularly identity theft—as the primary reason for not shopping online. In most cases, this attitude is not focused on one particular company (though having a publicly disclosed information breach isn't helpful). Rather, this attitude reflects on the Internet as a whole. In this particular case, the Internet is the sum of its

parts. For the Internet to reach its full commercial potential, we must give consumers confidence that their transactions and personal data are safe. Otherwise, your company is in the uncomfortable position of not being able to utilize the benefits of the Internet (lower transaction costs, ability to tailor marketing efforts, reduced real estate portfolio, broader customer reach and 24/7 availability, to name a few).

There is clear evidence in the United States of declining confidence in the Internet. For example, the Consumer Internet Barometer showed that in the first quarter of 2006, respondents' trust ranked at a lowly 25 percent. Webwatch reports that 80 percent of Americans said they are concerned that their identities could be stolen from personal information on the Internet and have changed their behavior because of this. In the United Kingdom, the National Consumer Council report ­"E-Commerce and Consumer Protection" suggests that e-commerce is not reaching its potential because consumers don't trust it, with 85 percent of adults considering High Street (the U.K. equivalent of Main Street) to be the safest place to shop and 35 percent (including 55 percent of Internet users!) stating the Internet is the riskiest place. And the Ofcom Media Literacy Surveys show that more than 70 percent of respondents do not view the Internet as a safe place for their children and most have little confidence in their ability to use the technologies available to help protect them.

If consumers don't feel that we as vendors can protect their data, they will not make purchases on the Internet—certainly not in the volume they would if they felt protected. We need to work to change that perception. To do so, we must have the resources and the backing from executive management to develop programs that not only protect the company's assets but foster consumer confidence and add to the bottom line. In addition to a sufficient information security program, a way forward would be to utilize that program from a sales, marketing and public relations perspective.

Consumers would certainly be more likely to purchase products if they were aware that their prospective vendor was taking steps to ensure the safety of their personal data. A marketing campaign surrounding the company's information security program would not only enhance the reputation of the brand but add to the bottom line. Be proactive about marketing your security program to your customers—because if you don't seize the opportunity, your competition will. 

Richard Starnes is U.K. director of communications for the Information Systems Security Association.

Copyright © 2006 IDG Communications, Inc.

21 best free security tools to make your job easier