Can You Afford to Lose Customer Data?
I noticed a recent article talking about additional fines for ChoicePoint. They were fined for a second breach of security that occurred 4 years after the original intrusion. This may be an extreme case, but it’s a tragic reminder of the importance of proactive security.
As you may recall, ChoicePoint became a poster child for data loss when a 2004 breach was discovered. They struggled for years as the fines piled up and subsequently sold themselves off piecemeal, with Reed Elsevier retaining the ChoicePoint name. However, the story is not as important to me as the company they keep.
Nowadays, whenever someone writes about data breaches, they inevitably mention three names: ChoicePoint, TJX, and Heartland Systems. This continual rehashing of past mistakes is doing massive harm to the brands that the companies have developed. And in that, there are lessons here for every company that must make a claim about security.
If you are talking to your leadership team about spending for security, be sure to let them know that the cost of a positive brand image is many times the amount you will spend on computer security this year. If your organization makes a spectacular blunder in the security space, you could be one of those names that gets bandied about any time someone needs a cheap joke about cyber crime. No matter how much work you do after the breach, it probably won’t matter.
Your job as a security professional is to translate these problems into business terms. Start by estimating the annual value of your corporate brand. Then model a catastrophic security scenario and cost out the 10 year effort it could take to rebuild the brand, after the incident occurred. Once you’ve done all that, the real value of good security might be more interesting to Management.
Jim Molini, CISSP, CSSLP
