Why managing information security as a business risk is critical, part 2: Reputational harm

Part 2: Reputational Harm

In Part I of this series, we covered the direct financial impact—like outright theft and costly website downtime for an e-commerce site—that a cyber security crisis can have on a business. Although immediate revenue loss is the most obvious consequence for an organization that suffers an attack, it is not the only repercussion. A security breach can severely damage an organization’s reputation with the public and can also harm a CISO’s or CIO’s standing within his or her own company.

Let’s first examine how an information security incident can erode consumers’ confidence in a brand. For example, the Target data breach that was uncovered during 2013’s holiday season exposed 110 million customers’ personal information and, in the weeks after the news broke, the retail giant experienced sluggish sales. In early 2014, when Target released its Q4 2013 earnings report, the breach’s effect came into clear focus: The organization’s profits had fallen 46 percent year over year. A few months later, the company’s CEO stepped down. Target is not alone in its struggle to regain trust after a security breach, either; 36 percent of customers say they will patronize a business less frequently after a breach, according to recent research.

Unfortunately for CIOs and CISOs, when an information security problem arises, they are going to take the lion’s share of the blame—whether that is fair or not. That is likely part of reason, more than half of CIOs cite security threats as their top concern today. Moreover, these IT leaders are not paranoid; a recent white paper from Silverton Consulting Group identified security breaches as the top reason CIOs lose their jobs.

Even when CISOs or CIOs are not terminated after a breach, they will likely struggle to regain the faith their peers had in them previously. In turn, that can make it difficult for IT security professionals to:

• Have meaningful, productive dialogues with other members of the C-suite about cyber security
• Have influence in budgetary and hiring decisions
• Prevent future attacks

One of the keys to avoiding reputational harm to a security professional or company is for CIOs and CISOs to begin having conversations about how to mitigate risk before a significant breach occurs. In the same way that stakeholders strategize before making major hiring decisions or allocating significant resources to a project, security operations management professionals and other business leaders outside of IT should conduct risk assessments related to information security. These conversations will lead businesses to identify the information and functionality most critical to them and create a multilayer plan—including advanced security solutions, end-user education and protocols for incident response—for protecting these assets.

The truth is that C-level executives are often extremely busy, so it falls to the CIO or CISO to take a proactive approach to emphasizing information security in an organization. The tactic can be contagious, pushing other company stakeholders to focus more on security as well, and creating an atmosphere where it is prioritized and IT security staffers are viewed as leaders inside a company. Once that happens, it becomes far easier to ensure buy-in throughout the enterprise. In reality, a proactive approach to information security is crucial because the speed and complexity of today’s attacks means that your company is behind the eight ball if it fails to implement upgraded security tools or protocols before a breach occurs.

Check back soon for the third and final installment of this series in which we will tackle how treating information security as a business risk helps protect against intellectual property loss.