• United States



Corporate Image: Security Sells

Dec 01, 20049 mins
Data and Information SecurityIT JobsIT Leadership

Some companies are so serious about security, they try to make it part of their corporate image

If the challenge for CSOs is to market themselves

and the security messagemore effectively, then surely the companies below must represent the end goal. Citigroup, Microsoft, OnStar and El-Al are so security-conscious that they’ve all, in one way or another, incorporated it into their brand image. Translation: They advertise security or otherwise make it part of the message they present to customers and business partners. Look closely, though, and you’ll find that these companies share a common goal: to create a sense of trust for their customers—while being careful not to overpromise.Citigroup Fights Identity TheftIn February 2003, Derek Bond, a 72-year-old retiree from Bristol, England, spent three weeks sleeping on the concrete floor of a South African jail after his name and passport number showed up on an FBI wanted list as he arrived in the country for a vacation. In vain, he protested that not only was he ignorant of any supposed crimes he’d committed in America, but he’d never even been to the country. Release didn’t come until the publicity surrounding his fate prompted an informant to point the FBI to the “Derek Bond” whom they did want to talk to, comfortably holed up in Las Vegas, after purloining the identity of the real Mr. Bond some 14 years before.

Bond’s misfortune illustratesto the extremethe menace of identity theft. But it’s not jail time that worries people so much as impaired credit records and fraud. Armed with just a few pieces of informationinformation readily available from trash or stolen documentsidentity thieves can take advantage of lax security at financial institutions to enrich themselves.

Not if Citigroup can help it, says Ronni Burns, director of business practices for Citi Cards, the group’s credit card arm. In 1991, she says, Citi was among the first card issuers to offer its customers early warning of fraud, by programming computers to spot suspicious transactions. And in 1992, Citi followed this by being the first major card issuer to include customers’ photographs on cards.

Most recently, Citi has bolstered its identity-theft prevention offerings with a personalized solution that involves trained counselors providing support to victims. In the event that a customer’s identity is stolen, explains Burns, a single Citi representative is assigned to the case to help customers identify the fraudulent transactions, fill in the various police forms, notify credit bureaus and generally get their lives back on track.

A high-profile advertisement campaign to launch the service has certainly caught the imagination of both consumers and the advertising industry. Victims are shown on screen going about their everyday activities, but the voice coming from their mouths is that of the thief, who is usually describing what he did with the money he stole.

The television advertising spots were named 2003’s advertising campaign of the year by Adweek magazine, and also won an Emmy. “The person you see on screen and the voice you hear are very disconnected, as are the topics being discussed,” says David Sigel, group account director at Fallon Worldwide of Minneapolis, which dreamed up the ads. “It’s very funnybut very vividly brings identity theft to life.”

At Citi, Burns concedes that it’s difficult to determine the number of new customers the service has brought the bank. “In terms of fraud detection, our customer satisfaction ratings are extremely high, and amazingly high in terms of the identity theft solutionwhich is usually a good leading indicator of new business,” she says.Microsoft Aims for TrustworthinessCuriously, one of the biggest developments in Microsoft’s historyand certainly one that is intended to have an enormous impact on its customersisn’t being marketed yet. Or at least not in the direct manner that Citigroup is using.

While Microsoft does actively promote some security-related products (including through advertisements in CSO), “Trustworthy Computing,” as the company christens it, deliberately isn’t mentioned in the company’s advertising. “There is no advertising around Trustworthy Computing at all,” insists Microsoft spokeswoman Nicole Miller. “As far as I can recall, there hasn’t been a single press release on the subject.” The company does, of course, provide a website that explains the initiative, and a quick Google search will turn up plenty of Microsoft quotes discussing the initiative in the media. The initiative stems from Chairman Bill Gates’ well-publicized leaked edict to Microsoft’s 50,000 employees in January 2002. After a turbulent period during which security loophole after security loophole was found in the company’s products, Gates was forced to recognize the adverse impact on Microsoft’s reputation. From here on, he insisted, security was job number one. “Flaws in a single Microsoft product…not only affect the quality of our platform and services overall, but also our customers’ view of us as a company,” Gates wrote. “We can and must do better.”

But how much better? Well, Gates pointed to the local phone company as the role model: Security should be as reliable as the telephone system’s dial tone. But to Gates, customers’ perceptions of Microsoft were far from allowing the company to include itself in the same category. A long-term mission, dubbed the Trustworthy Computing Initiative, was henceforth under way to redeem Microsoft’s brand and image in the eyes of its customers.

A little short of three years later, Microsoft is still hesitant to portray itself as now trusted and secure. The company talks about security, sure. Windows XP Service Pack 2, says Microsoft’s Miller, is promoted “because Microsoft feels that it provides better protection for its customers.” But Trustworthy Computing itself is still a long way from victory.

In fact, says Chief Security Strategist Scott Charney, who describes the initiative as “very much a work in progress,” Microsoft has had to apply strong-arm tactics to software vendors who have built Microsoft technologies into their products: They are not to make claims that aren’t yet matched by the reality that Gates wants to see. “We’ve told vendors not to put out advertisements saying that you can have a secure environment on a Microsoft platform, because we’re just not there yet,” says Charney.

Nor will those vendors be making such claims anytime soon. According to Charney, Trustworthy Computing is a root-and-branch reform of the way the company conceives, designs and codes its products. Some practices were probably long overdue: a central database logging every alteration to a product’s code, for example. But the biggest transformation has been the decision to adopt what Charney describes as a “security development lifecycle”building security into a product from conception, rather than through repeated testing and debugging.

“We’ve changed the way that we develop code: We first develop threat models that look at how that code might be attackedand then we build responses to those threats into the code,” he says. “It’s systemic, rather than trying to fix individual bugs.”

No product has yet gone through the whole process, but Charney offers some evidence that products being released today (which have gone though at least part of the process) have a much improved security performance. Windows Server 2000, for example, had 42 distinct security flaws announced in the first year of release. Windows Server 2003, however, had just 14. That’s a data point that might show the way to a transformed brand and image for a company that sorely needs to get the security religion.OnStar Sells Peace of MindIf you’re going to set up in business as a guardian angel, you’d better be a guardian angel that people trust. That, in a nutshell, is the brand challenge facing OnStar, the in-car, cell-phone-based driver assistance service. Lost and confused, in an auto wreck, broken down or needing any other kind of assistance? Press the OnStar button in your car and a friendly voice will answer, ready to assist you.

“Key to the promise of the brand is that a real, live person will share your problem and help resolve it,” says Andrew Young, director of marketing at Detroit-based OnStar, who’s been with the business since its inception in 1996. “They’ll make connections, find information and help you.”

The help depends on the nature of the problem. OnStar is careful to avoid overpromising, says Young, and tries hard to make sure that subscribers understand the limitations of the service. “We’ve tried to be very honest in how we market the service and build the brand,” he says. “We are a significant enhancement to someone’s security and safety, but we’re not 100 percent. We don’t own the wireless networks, we need an electrical supply in the vehicle, and we don’t have a roadside capability of our own. We’re an interface between the consumer and third-party service providers. We provide peace of mind.”

That said, OnStar is astute in pointing out what it can doespecially when that highlights what others can’t do. Often that boils down to OnStar’s marriage of cell-phone telephony with GPS satellite navigation capabilities. When you’re lost, for example, two critical pieces of information are (1) where you are and (2) the directions for getting back on course. As Young observes, if there’s no one around to tell youor if you’re in the sort of location where getting out and asking seems inadvisablethen OnStar is a perfect solution.

Likewise, he adds, dialing 911 in an emergency is all very well and good, but how does the dispatcher know where you are? Minutes can be lost while the emergency services try to locate youwhich in the event of a serious accident can literally make the difference between life and death.

For the past two years, OnStar has been running a radio advertisement campaign featuring the voices of real callers. “The voices are of people who are hurt or panicking or upset. They’ve maybe been in an accident or are perhaps trapped in a vehicle, and the doors are locked,” says Young. “People listen to the advertisements and understand the relevance of the service we provide and respect us for using real voices of the people we’ve helped.” Tellingly, he adds, “The consumer research we’ve done suggests that people perceive us as an emergency service.” And for a business that’s careful to advertise itself as merely “peace of mind,” that’s quite a compliment. *