This is part of a blog series. For more details, start with the intro.
This is arguably the most important motivation for having an IT security program. As an extension of trust, we also have brand and reputation. But being trustworthy implies a strong brand and reputation. If an organisation loses that trust, their brand and reputation suffer accordingly.
Ask any start-up (an actual start-up, not one with the start-up mentality) what the most important thing to them as far as security is concerned, and almost all will say: “trust”. If it’s a consumer business, it’s user trust. If it’s an enterprise business, it is investor and customer trust. Trust that they will not go out of business anytime soon. Trust that they will continue to offer a good product. Trust that they will improve the product. Trust that they are not engaged in criminal activity. Trust that any data they hold about us is properly protected. I could go on, but you get the idea.
For companies where the user is the product, like Facebook, the last point is the most important. Remember the saying: “if you aren’t paying for the product, you ARE the product”. For a company like Facebook to continue to grow, they need all of us to continue to use it in a genuine, authentic manner that represents ourselves in real life. That’s why they so ingeniously insisted on the “real name” policy. We are psychologically programmed to be true to ourselves; true to our own brand, right down to our authentic behaviour. Why? So Facebook can use our information to sell more advertising. But we willingly do it, largely because we inherently trust that Facebook won’t intentionally do anything bad with our information. Sure, they violate our privacy all the time, but we continue to use it because we trust they have taken the measures to protect our data and the privacy trade-off is something many of us are willing to live with to enjoy the benefits Facebook affords us (some of which we aren't even consciously aware of).
Forrester's Laura Koetzle defines an IT security & risk professional's role as follows:
"We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely."I like this definition because I think it defines exactly why we (IT security people) have jobs. What is a security professional ultimately trying to do for their employer? Everyone has their own ideas and views, but if you ask CEOs, they usually say that security teams are employed to protect the company’s brand and reputation. Once again, this is about trust. The simplification of a company's values makes the decision making process much easier. In doing so, one can very quickly decide which IT security projects (or initiatives) are really not adding value to the ultimate goal of maintaining trust, brand and reputation.
This covers off the first part of Laura's definition. But why do so few mention the second part? That’s the ideal situation is it not? As IT security professionals, we would certainly like to think we do that for our organisations. So where’s the miscommunication?
This brings me to the next point - Say yes.