One of the study findings was that 76 percent of marketers surveyed agree that security breaches negatively impact a brand, and 60 percent believe strong security can be a competitive differentiator. But the findings also point out that 60 percent of the marketers surveyed reported that security has not become a more significant theme in marketing communications.

I have seen this type of contradiction for PCI compliance adoption as well.

It has been reported that only 25 percent of level one merchants are compliant, although that number was expected to reach 75 percent by the end of 2006.

One can argue that these are two separate topics with different challenges and should not be compared. However, I just wanted to bring these up as food for thought as the role of the chief security officer (CSO) is a very challenging one. You are in charge of physical as well as information security covering the entire organization.

And, while a 2006 global state of security survey shows that security spending may be as high as 17 percent of the average information technology (IT) budget, in reality, most CSOs still have budget constraints. The key will be to convince all executives and the board that security can help them generate more revenue and, at the same time, avoid huge breach clean-up costs and fines.

It amazes me that even after so many well publicized security breaches — resulting in huge financial losses and embarrassing regulatory fines — many companies still consider security an expensive budget item and treat it as such. It may be due to the age old struggle all security professionals face in proving the business value for security.

However, we now have more data available, such as the above-mentioned security and brand trust study. We need to use this information to develop great relationships with marketing and all other business line executives. The CFO should be aware that with good security measures, you may even get a discount on cyber insurance. The CEO and board members should take the trust and reputation risks into consideration. Once their perspective is changed, then security will become significant and a core value for the company.

 

30 seconds on...

Risks to outsourcing
One security incident can wipe out all the cost savings from outsourcing, says Deven Bhatt. He says to look for ISO 27001 implementations, SAS 70 type of independent audit reports, and the completion of a BITS matrix.

Breaches getting worse
Over 330 data loss incidents have occurred since February 2005, according to the Privacy Rights Clearinghouse. These incidents involved more than 93 million individual records. Most were a result of lost or stolen laptops.

The cost of a breach
Ponemon Institute found that the cost of dealing with a data breach rose in 2006 by 30 percent to $4.8 million. This was based on an average cost of $182 per lost customer record with an average of 26,300 lost customer records per breach.

First step: encryption
Gartner analyst Avivah Litan, at a Senate hearing investigating a breach at Veterans Affairs, recommended encryption as the first step enterprises and government agencies should take to protect customer/citizen data.