Questioning the Industry’s Slow Response to Improving Security

Eight Reasons Why Cyber Attacks Hit Retailers

This week, I’m attending the 2015 RSA Conference, where I’ve had the chance to mingle with security professionals and other security writers, as well as get to sit in on some interesting sessions. I was invited to attend a panel discussion hosted by Nok Nok Labs. The panel included Nok Nok’s CEO Philip Dunkelberger; Jon Oltsik, a security analyst at Enterprise Strategy Group; Rhonda MacLean, a former CISO with a number of companies including Bank of America and Boeing; and Giles Watkins, a partner in the cybersecurity practice at KPMG.

The discussion—with quite a bit of audience participation, I should add—revolved around the opening question posed by Oltsik: Why is it taking so long for industry to embrace security?

The consensus was that until recently, consumers weren’t demanding better security practices, so the industry really had little incentive to do much about it. I believe that’s a fair assessment. Based on my own observations and conversations, I feel that business decision makers will focus on meeting compliance regulations and protecting their own interests—and in a lot of cases that means the customer is out of luck. I remember a conversation I had shortly after the Target breach with a friend who owns a small retail business. I asked what she was doing to protect her customers’ credit card data, and she shrugged, saying that was the concern of the company contracted to handle her credit card transactions, not hers. It’s an attitude shared more often than not across the corporate world, unfortunately.

However, the panel at RSA agreed that 2014, “Year of Breaches,” has changed customer attitudes. A common point made throughout the panel is that it has become clear that the enterprise’s approach to security isn’t working anymore, and customers recognize that there needs to be a transformation along with a search for new solutions.

What is the surest sign that customers are beginning to care about the security of their personal information held by a company? They aren’t afraid to take their business elsewhere. We’ve talked many times in this blog about the financial hit a company takes after a data breach, but Dunkelberger pointed out that it isn’t the hard dollars—the fines and fees—where the real impact is felt (at least not by large corporations; a smaller business will definitely feel that impact). It is what he called “the churn,” which is when customers don’t come back and stock prices take a hit. Your customers want to trust you. They want to stay loyal. However, they are now beginning to understand and demand the importance of good security practices. Now, the question is whether or not the industry is willing to meet that demand.

In my next blog, I’ll discuss the panel’s thoughts about why it is so difficult to move away from the password/username model.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.