The headline-grabbing data breaches of 2013 are driving organizations to reconsider their security approach. While many started their security program with a compliance-driven focus, companies are realizing that compliance alone cannot sufficiently protect an organization.
There are signs that indicate that in the year ahead, we will see more companies develop a proactive, strategic security program and supplant the traditional notion of “achieving compliance” as an equivalent to security. In fact, a study conducted by CyberSource, a credit card processor for business, electronic payment and risk management solutions, found that only 26 percent of survey respondents cited avoiding penalties resulting from non-compliance as their primary motivator, while 70 percent of those vendors in the study identified their desire to protect their brand image as the main driver for improving their network and data security defenses to keep hackers out of their systems.
Further to this, evidence of business objectives being linked to data protection and mitigation of organizational risk is now being seen in 10-K annual forms filed by public companies around their performance. Across almost every industry, a company’s operations rely on strengthening their security measures. In company annual reports, security is becoming one of the key drivers of business processes and is an area that businesses are proactively addressing to protect the confidentiality, integrity, and availability of their sensitive data.
KBR, an American engineering, construction, and private military contracting company, relies on information technology systems to achieve their business objectives. In their 2012 10K filing statement, the company recognized that any failure, disruption, or security breach of these systems could adversely affect their business. With the company relying upon industry-accepted security measures and technology to securely maintain confidential and proprietary information maintained on their IT systems, this was a step forward from 2009, where the company did not mention either as being strategic to the business.
Humana, a health care company that markets and administers health insurance, acknowledged in their 2012 10-K statement that if they fail to properly maintain the integrity of their data by not strategically implementing new information systems, the company will not be in a position to protect their data and defend against cyber attacks. Ultimately, this could lead to failure in business operations that negatively impact their financial position and cash flow of the company.
Back in 2009, the company recognized that the integrity of the data in their information systems was the key to adequately price products and services, provide efficient service to customers, and deliver timely and accurately reports of financial results. However, to achieve this, they simply relied on agreements with customers, employees and third-parties to protect any misappropriation of the company’s proprietary information.
Wells Fargo, a provider of banking, mortgage, investing, credit card, insurance, and consumer and commercial financial services has been the target of various denial-of-service and other cyber attacks. In their 2012 10-K report, the company included a section addressing risk management. With over 70 million customers, the institution relies on their ability to process, record and monitor a large number of transactions on a continuous basis. The company recognized that regulatory expectations around operational and information security have also increased, and operational systems and infrastructure must continue to be safeguarded and monitored for potential failures, disruptions and breakdowns.
However, back in 2009, the company did not include an Operating Risk Management section in their 10-K. They simply stated that if personal, confidential or proprietary information of customers or clients were mishandled or misused by the company or by third-parties, the company could suffer significant regulatory consequences, reputational damage and financial loss.
As we turn to 2014, it is expected that similar forward-looking companies such as the ones mentioned, will continue to develop a proactive security program that will focus on data protection and risk mitigation that aligns with business objectives. With a strategic security program, companies will also be able to mitigate organizational risks that emerge with cloud, mobility, bring-your-own-device (BYOD) and social computing models. As a result of this progression, compliance will be repositioned from a leading driver of security to a security best practice.
Compliance remains a necessary concern and business driver as being out of compliance can mean huge fines and reputational damage to a company. While most executives understand that being compliant is a business requirement that must be funded, organizations can and should use these funds to achieve compliance through a proactive security program. The compliance audit process can be used to evaluate and communicate organizational risk, and the results can be used as feedback to drive improvement of security controls and processes. In this way, organizations can achieve a robust security program to properly mitigate risk while aligning to business objectives.