IT Compliance Institute, December 6, 2005:

Trends and Technologies

Consumers vs. Compliance: Where the Security Buck Stops

Regardless of the laws on the books, consumers hold companies responsible for data breaches, spyware, and phishing attacks

By Mathew Schwartz

Data breaches are taking their toll. According to December 2005 research released by the Privacy Rights Clearinghouse, over 51 million individual records have been illicitly accessed since February of this year.

Given the predictable outrage and time needed to clean up the resulting mess, there’s an important question to ask, says Toby Weiss, the general manager for security management at Computer Associates (CA). “Who’s really accountable for these 50 million identities being stolen?”

Answering that question objectively is difficult, as identity theft victims don’t always know how their information was compromised. Perhaps they did business with a company that had poor information security practices and a hacker waltzed away with their data. Or maybe someone just picked their credit card statement out of the trash.

Increasingly, however, consumers know exactly who to blame: the companies with which they do business. Their perceptions are driven in no small part by California’s SB 1386, which requires companies that do business with California residents to notify customers if their information is lost or stolen. After the bill became law, consumers began hearing about quite a lot of data breaches.

Consumers also blame businesses for the rise in spyware and phishing attacks. Companies might argue they’re not responsible for spam that falsely claims to originate from their servers or phishing attacks which mimic their Web sites. They fault instead the too-lax security standards of the Internet. But experts say consumers don’t agree.

“We’re seeing security becoming a customer satisfaction issue,” says Vadim Lander, the chief identity architect for security management at CA. That is particularly true for financial organizations. “The amount of spyware and viruses is getting to the point where just about every financial organization is looking to do something about that risk.”

Soon, they’ll have to. The Federal Financial Institutions Examination Council says banks offering financial services online must add two-factor authentication for customers by the end of 2006.

Yet, consumers are less concerned with the security technology a company uses. “It’s not a technology issue, it’s a social issue,” says Chris Christiansen, the program vice president at IDC for security products and infrastructure software overview research. “You have a social pact about how you do security.”

Navigating Security Growing Pains

The mandate to improve security is clear, yet there likely will be growing pains. For example, to guarantee the authenticity of messages it sends to customers, MassMutual Financial Group created a messaging system whereby customers receive an e-mail that directs them to an SSL-encrypted MassMutual Web page on which they can then read the intended message.

Many users were initially skeptical of the more secure system, since they hadn’t seen anything like it before, says Bruce Bonsall, MassMutual’s chief information security officer. In effect, “the customer receives a weird e-mail: go to our site and read an SSL-secured message.” Not surprisingly, many customers called the help desk to ask if the messages were genuine. “Customers are nervous,” he says. Even so, many now trust the feature.

While MassMutual implemented the improved messaging system to manage customers’ security fears, it’s not necessarily a typical case study. In many companies, justifying information security expenditures—both customer-facing, and of a more traditional IT nature—remains difficult. A notable problem is the need to document a tangible security return on investment (ROI) to senior management.

To help organizations budget, then calculate security ROI, firms such as Deloitte & Touche LLP offer business-value studies of intangible security benefits. “Costs can be direct or indirect,” says Deborah Golden, a principal in Deloitte & Touche’s enterprise risk services practice. “You could say, if you did password synchronization, you could increase customer satisfaction by 'x' percent.”

Regardless of ROI technique, many organizations are now revisiting their security budgeting practices. For example, take a telecommunications company with whom Golden works. “Their number-one priority is customer satisfaction. Not that they have unlimited budgets. So how do you align the risk of a transaction … while also tactically meeting the needs of your business units?”

Back to Basics

Answering that question, however, often requires answering an even more fundamental one. “A lot of times, we find people don’t really know what they have” in the way of existing security technology, processes, or procedures, Golden notes. Given that ignorance, “how do you align the business drivers?”

Indeed, when it comes to enterprise security, “it’s sometimes the blind men describing an elephant,” says IDC’s Christiansen. Security means a lot of things to a lot of different people—many of them often part of the same company’s management team.

“How do you create tangible value for security?” Golden asks rhetorically. The answer, she says, is first to agree on definitions, since in many organizations, people have wildly varying definitions of everything from identity management to access control, to issuing or rescinding badges or telephones to employees—and how that even relates to security processes.

Next, the company must evaluate any potential security investments in terms of business need. The fundamental question is, “What is the business driver, and how do you tie it back to ROI?”

One such emerging business driver is the potential for losing customers’ sensitive information. “We see organizations trying to tie dollar amounts to the actual amount they’d lose per piece of information,” says Golden. For example, what’s the cost of losing a customer’s social security number, versus their street address or telephone number?

One enticing risk-prevention measure would be information-breach insurance, yet to date there’s no established system for buying such coverage. “The big problem with measuring security effectiveness is there are no actuarial tables for this,” says Christiansen. In other words, no one has reduced enterprise information security to such black-and-white data points as “do they smoke, or not?” While Basel II and the ISO 17799 security standard do some of that, he says, it’s not yet enough.

Turning Security into a Building-Permit Process

As organizations weigh how to improve their security practices, it is important to recall that retrofitting security is notoriously difficult. Ideally, security is a facet of every IT project from the get-go. That’s why MassMutual now uses what Bonsall characterizes as a “building-permit process.” It used to be that the security team often saw internal projects or applications “at the eleventh hour,” which inevitably created a conflict between adding security or getting a product or application to market more quickly.

For the last year or two, however, project leaders have had to involve the security team before any IT project can launch. Hence, security is no longer an add-on. “For the most part, it’s built in up front,” he says.

Traditionally, increasing security can drive customers away. “Convenience is one of the other things we have to strike a balance with,” acknowledges Bonsall. Still, consumers’ spyware and phishing fears create a security opportunity. “One of the things I’ve seen is that we’ve been able to add more security, and most people have been willing to accept a little inconvenience in their lives.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.