It is encouraging to see more organizations treating the management of information security and risk as core business capabilities, because they will increasingly be evaluated on these parameters by customers, suppliers, and business partners, in addition to regulators, to the extent that this becomes a matter of competitive differentiation.
For customers and citizens, trusting information to a third party is already highly selective, and organizations are more aware of the efforts required to build this trust, and the speed with which it can be lost through a single incident. Competing on information security and risk management goes significantly further though, and requires a rock-solid internal framework (based on policy, process and culture, rather than being technology-centric) and the marketing of these attributes on a consistent basis as part of a company’s brand and customer experience.
Internally, this necessitates a highly proactive risk-based approach to security, where the likelihood, impact, and remediation requirement of a breach is considered in the context of business operations, and there is a mature and tested process for responding to security incidents.
Regulators are in any case compelling organizations to be more transparent in reporting breaches, but this should extend into externally communicating a company’s proactive security measures. A further consequence of this trend is that it increases the scope for comparison between organizations, both by external stakeholders and internally as a benchmark.
While data privacy is an obvious and high-profile concern for customers and citizens, there are broader aspects of information security that can set organizations apart, including those related to intellectual property, commercial integrity, public safety, financial assurance, health and wellbeing, and regulatory compliance.
Tim Jennings is Ovum’s chief analyst for enterprise IT and an Ovum Research Fellow.