Home  |  About  |  Contact

Tuesday, 17 Feb , 2015

Does Security & Privacy Sell? WhiteHat Security Said Yes

Share this article

Does Security and Privacy Sell? Whitehat Security bet on the fact it does. For every other business where tech plays a part in their products or business development, we would like your opinion...

Untitled presentation-2

Are IT Vendors Paid To Fail?

The heading links to an article I wrote over a year ago. Discussions that followed concluded that security will always be trumped by cost and convenience. Never becoming a deal-breaker. Be that for corporate or private purchases.
Based on economic logic, that provides vendors with no motivation to invest in secure design.
An assertion supported by figures in the latest Trustwave Security Pressures report, where 77% of IT professionals surveyed said they felt under the cosh to deliver inadequately secured solutions.
Then, this happened:
[tweet https://twitter.com/S_Clarke22/status/594410404610211840 hide_thread=true width=’900′]
So there are CXOs out there with integrity (or more fairly, the clout to challenge the short-term profit motivated status quo). Then there’s this:
[tweet https://twitter.com/seancostigan/status/594801122457575424 hide_thread=true width=’900′]
The potential for reputation destruction is at it’s most extreme in the security trade and security bodies consuming solutions feel that acutely. That mustn’t detract from what WhiteHat are doing, hats (appropriately) off to them and may many more (Adobe, Microsoft) follow.
imagesCACIIZDJWhether they will or not is down to sufficient confidence in their products and services. If they have a tendency to break, it just won’t be cost effective. There also has to be huge motivation to abandon the belief that backfilling (some) security during next phase development (paid for by extortionate support contracts for the holey stuff), is Ok. The business built up around that is incredibly lucrative.
Will enough corporate and private consumers (outside the world of security pros and other paranoid folk), ever vote with their feet? If they don’t, because security just doesn’t matter enough, how can vendors be pushed to re-examine how things are done?
More government sponsored standards and other industry regulators? Is that really the best way? PCI DSS, often offered up as a best in class security standard, certainly hasn’t done all that was hoped. So is there a lever to make both the CXO and joe public eschew ropy kit, software and security services? I choose to keep faith, but right now very little looks set to change.


It is a hunt for economic and psychological weapons that let us go head to head with the money gods on their own turf


Why does this matter?

Risks, when insecure solutions are sold, get passed on to the consumer. Consumers who have little or no legal recourse. Recent class action lawsuits against Sony and others are a possible sign of the tide turning…well maybe, if the notoriously tech-savvy judiciary can settle on a useful definition of harm.
Not only that, the cumulative effect of shipped vulnerabilities impacts the security of industries, populations and nations as a whole. No one entity can mitigate this, so security has to start at home. On that subject the below questions apply equally to selling security to your own board. They, just like the population at large, are motivated by savings and speed.

A sustainable status quo?

There are laws and regulations that apply variably to different sectors. Companies will also have more or less well framed security policies. There’s great scrutiny of compliance in financial services (albeit intermittently, if internal risk assessment isn’t mature), but little for retail.
In retail, where we have seen the most and biggest recent breaches, they are left relatively free to self-police their security and privacy controls. There’s little statutory and regulatory control beyond payment card rules (where applicable), data protection and high level computer misuse law. We also need to recognise that there is often a gulf of difference between those legal and regulatory minimums and what could and should be done to safeguard consumers against current threats to their security, digital safety and privacy.
This is relevant to any number of IT and non-IT products and services and with the Internet of Things, secure design of products and services has never been so vital.
I am looking for insights from Marketing, Sales, Legal, Information Security, Psychology, Behavioural Economics and any other interested parties as research for a follow up article to that post at the top.
pendulum-300x225As provocation, here are a few related questions:

  1. Will security and/or privacy ever be a deal-breaker for product and service sales?
  2. If not, why not?
  3. If you think it will, in which industries and for what kind of products?
  4. Which demographics are most likely to prioritise security and privacy in buying decisions?
  5. Are vendors motivated to adhere to legal and regulatory minimums for security and data protection?
  6. Are vendors motivated to go beyond minimum security and data protection requirements to assess and mitigate the real level of risk?

Ways to respond:

The intention is to shape feedback into an article for a security trade site where all non-anonymous contributors will be acknowledged. Should you prefer not to be specifically quoted, or prefer to be quoted anonymously, please let me know. Your response and identity may be used to inform my opinion, but details will be kept secret and secure.
So what do you think? Will security ever matter enough?


*PGP encryption can be used for added privacy.

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...

We welcome the Children’s Commissioner report “Who knows what about me?” which shows how children’s data is routinely collected online. The report points out that children are among the first to be ‘datafied’ from birth, including policy and practice in schools, and comments on the datafication of children in the education sector; school databases, classroom…read the full article on the Defend Digital Me blog

Read more

Children’s Comissioner on concerning use of school children’s data

We welcome the Children’s Commissioner report "Who knows what about me?" which shows how children’s data is routinely collected online. The report points out that children are among the first to be ‘datafied’ from birth, including policy and practice in schools, and...

The IT Asset Disposal Vicious Cycle

Most retired equipment is ground up for minimal financial and recycling return... ...that model is financially, environmentally, and socially unsustainable. The way we all do business is changing. Increasing numbers of staff work flexibly and use their own kit....