The infosec industry as a whole has completely overlooked one highly critical group to add to the awareness plan – investors. As with any other section of the corporate population, they need to be informed and educated about the technical and business needs for securing intellectual property.
Recent research of the FTSE 350 in the U.K. illustrates the investment community's fear over the damage that network intruders might inflict on a company.
Four out of five investors indicated that a significant breach in security would have a major impact on share price. Two-thirds said it would influence their decision to buy or sell shares. Nearly nine in ten expected board members to be aware of, and be able to review, their company's infosec vulnerabilities, and 57 percent thought they should know about the company's information risk strategy.
Basically, investors are saying that if you want their money, you need to keep them informed. The research found that there was a significant disparity between business leaders' and investors' perceptions of a security violation's impact.
These viewpoints reveal that how an organization communicates with investors on issues related to IT security influences the firm's perceived risk profile.
Can the presence of an effective IT security awareness vehicle for investors affect a company's stock price? If true, this would be the holy grail of metrics for any IT security department.
Lower the fears of investors and you gain stability in the marketplace, while competitors who fail to do the same will be viewed as higher risk. Not only can this effect your company's valuation, it sets a standard that can be applied to the valuation of other companies.
Furthermore, in the event of a breach, the investment community may be more forgiving to an organization that kept them suitably informed prior to the event. This is because they have some sense of the company's ability to ensure business will return to normal quickly.
Of course, such effects are not always measurable. Proving that awareness activities are responsible for valuation shifts isn't easy. Outside of unambiguous feedback from the street, you need to develop a plan to measure these effects.
This is why PR and investor relations have to be an integral part of the plan. Not only are they usually the conduit to the investment community, but they are also in the best position to sell the awareness activity publicly as a market differentiator, as well as measure its impact.
All this is about risk and the perception of how each business confronts it. Perception is subjective, and can be influenced in both positive and negative ways.
It is now obvious that all publicly-traded organizations should develop a plan to proactively reach out to investors – a plan that periodically assures them that the company is taking all appropriate efforts to protect itself. As I have yet to find any type of literature that identifies stockholders and potential investors as an audience for IT security awareness, this is not yet obvious to most security professionals. But in these Sarbanes-Oxley times, there could be harsh repercussions if this group is ignored.
Security leaders need to develop with PR and investor relations a "pull" investor communications plan as part of the company's Computer Incident Response Program. The goal is to facilitate a quick response in the event of a significant security incident that becomes public. Neither PR nor investor relations are a group seasoned in information security concepts or the risks they pose. Frequently, they are non-technical and need the immediate support of the security group to understand the scope of an incident and the efforts taken to rectify it. Without this support, neither group will be able to craft an effective response.
As an illustration: on February 14, 2005 information aggregator ChoicePoint announced hackers had breached its network and stolen the personal information of up to 500,000 people.
How did Wall Street react? The firm's shares plummeted 15 percent.