Tuesday, 17 July 2012

Information Security, Reputation and FUD.

Often I hear sales people use brand and reputation damage to secure information security investment.  Typically done without example, real context or evidence this is a shameless use of FUD. For the uninitiated that's Fear, Uncertainty & Doubt.

FUD is the tool of choice for bad sales people in the information security world, "you might be subject to this, This or even THIS!!".  If you hear these cries you are probably talking to a bad sales person.  Honest consultants will help you manage and understand information security risks.  They may even get to the point where they tell you that some risks can't be quantified using traditional methods and then frame advice using good practice references.  Sensible historical evidence shows how breaches have occurred and we need to learn lessons from these by being open about their cause, target and outcome.  Too many people are suffering preventable breaches at the moment.

However, focusing only on damage to your reputation may lead you astray.  Reputational value is very difficult to quantify in real terms.   Information security professionals should deal in risks based on facts, and how those risks can really impact a businesses.  I wanted to explore a couple of examples after  Dark reading put out an article recently on the "6 Biggest Breaches of 2012".  This looks like a skewed list towards the US but I'm going to pick out three of the commercial organisations on the list.

All arguably big names in their respected sectors.  All have suffered breaches that have been publicly announced one way or another.  All are still trading.  Lets look at some financial indicators :-

Global Payments (data from Google Finance stock feeds)

If you were shown the YTD graph on Global Payments(NYSE: GPN) you could be forgiven for thinking that "the breach" caused an ever increasing share price to drop suddenly and dramatically (in reality the graph scale makes this look worse).   However the graph above shows a full one year of their NYSE price and shows that in July 2011 they also had a big share price dip and that the price has been fairly volatile until recent months.  However, share price != reputation.  Lets look at the other key stats and ratios that are considered. In 2012 Global Payments mean quarter on quarter sales estimates were up, estimated earnings per share were up, compared with 2011.

So is it fair to say their reputation was damaged by a security breach?  Perhaps,  there were a number of articles in the press, a lot of fairly scathing commentary. In reality though whilst their share price took a bit of a knock it was small really.  GPN had similar price drops.  Key business indicators seem to show a company that is holding up fairly well in tough economic times.  Most CEO incentives are geared around financial performance, and not on reports about the company.

Zappos.com Inc is privately owned and so digging up financial data again isn't as straight forward.  They are apparently the number one seller of shoes online.  Gross revenues appear to be circa $1bn with an approximate margin of 10%<unverified!>.  So we would perhaps expect Zappos to be  ├╝ber  brand concious and take intellectual property management seriously as part of their information security processes....  Well maybe they do, I don't know I've never worked with them.  A good friend of mine worked in the fashion industry as an information security manager and told me that culturally that's just not how the industry works.  Lots of designers see the design IP as "theirs" until its actually made into a product that is sold.  Designers flit between companies with their ideas and are given free reign to do as they please.  Anything that seems to put restrictions on them is met by huge barrage of reasons why not to do it and senior management "accepting the risk".  His organisation put a lot of effort into shutting down counterfeiters instead.

Zappos is a retailer though, and perhaps run by people who are only interested in selling product and making margin.  Their senior management probably isn't going to be too interested in information risk management practices (or wasn't).  One would expect their information security to be focused on the risks that will really affect overall margin, logistics and the ability to actually deliver the product and customer service expected.  A denial of service or a breach that took down call centres or heavily disrupted the customer service would likely get people's attention.  Trying to convince someone in this space that information security protects reputation misses the point.  Their reputation isn't made from security, its made from good service.

And then there was Linkedin... You might even be reading this because I posted it on my Linkedin status! Linkedin suffered a breach that was widely seen as embarrassing within the information security community. However, Linkedin are still online, traded and doing business. It will be interesting to see if the breach is ever properly disclosed and if anyone discontinues the service. That being said the Linkedin service has value, and its reputation is built on other things.

Looking at the LinkedIn 1yr stock graph doesn't really show us much either. Hand on heart you can't look at that graph and say "ta da! thats the breach announcement day".

LinkedIn show the same sort of key stat information as Global Payments, key revenue estimates are all higher. Although it is interesting that Linkedin's share price is more than double Global Payments despite them generating lower revenue.

So, next time you hear someone pulling out the FUD gun trying to tell you "its all about reputation" - its fairly clear its all about "them not getting the facts straight".

Security breaches do damage the reputation of companies, but that's not what its all about. Those companies have data which affects others, card numbers, personal data etc. This causes both the business and the consumer to be affected. Businesses can and do recover; in some cases with limited share price damage. Consumers, can and do recover, though are left with having to cancel cards, argue with banks, or check credit reference agencies in case their identity has been stolen.

SME companies can suffer more acutely, typically throwing the problem at IT they are suddenly hit with un-budgeted consultancy, audit, and a lot of new processes to implement and technology to buy. A breach might not leave their reputation in tatters but it could come as a financial and operational burden. Suffering a breach and not having the tools or talent to deal with it can be an expensive exercise. Another reason for having information security management with some degree of strategic oversight.