3 Key Conversations about IT Security

(This is the second of a two-part blog from W2 Communications Vice President Tom Resau, who has spent his career developing and executing PR/communications campaigns for leading information security companies. If you like this blog, please share it. Thanks!)

Resau: "In the present day, we’re actively reexamining assumptions and 'truths' about what it means to be secure. We’re constantly assessing appropriate roles for business and government. We’re weighing the ever-evolving trade-offs to balance the pace of technology and new business models against the 'trust factor.' "
Resau: “In the present day, we’re actively reexamining assumptions and ‘truths’ about what it means to be secure. We’re constantly assessing appropriate roles for business and government. We’re weighing the ever-evolving trade-offs to balance the pace of technology and new business models against the ‘trust factor.’ “

In my last blog, I described what I call today’s “Age of Data Breach Enlightenment.” Organizations once shunned any discussion of systems compromises and attacks. (“It doesn’t happen here.”) Throughout the entire range of industry sectors, employees and the C-Suite all shirked off security as something that only concerned “the IT folks.”

The conversation, however, is evolving. Those same organizations are today more inclined to engage each other – and the public – to talk about how they thwarted network intrusions and even when they’ve stumbled in averting an attack. They understand that these incidents are the cost of doing business. They perceive IT security as more of an enabler, a differentiator and continuing effort. As opposed to “province of geeks” discussion fodder, employees and executives at all levels are educating themselves about threats and best practices, with the rise of mobility and Bring Your Own Device (BYOD) empowering them with more knowledge/awareness of tech and information security.

Everyone is talking because the stakes are high: There were 174 million compromised records in 2011, up from 4 million the year before, according to the most-recent, annual Data Breach Investigations Report from Verizon.

In working with security vendors to craft their message to increase brand awareness and position their executives as highly visible Thought Leaders, I relish the opportunity to take advantage of this new dialogue to translate such statistics and trends into an actionable, informative message for target audiences. That’s all part of the comprehensive, fully integrated communications/PR strategic consulting that we do at W2 Communications. We’re a high tech PR firm that likes to compare the present to respective pasts in the field and map out several “conversation changers” that are impacting how enterprise leaders must execute a security message campaign today. These include the following:

Breaches are no longer mysterious. They are common, even at well-managed companies and public-sector agencies. Much like issuing a product recall, security incidents inspire the burning question, “Now what?” Informed audiences will generally not condemn organizations when these things happen – unless it fits a pattern. Or if leaders appear unprepared initially, and uncommitted to learning along the way.

Everyone wants answers. A decade ago, a terse statement such as “Someone inappropriately accessed information” might have sufficed. It gave reporters a sound bite, so they could survive the first day of the news cycle. Today such superficial statements make the situation worse. Regulators, consumers and employees rightfully want to know “lessons learned” from an incident, to mitigate the risk of it happening again.

The demise of reflexive blame. After a breach, blaming a security vendor no longer presents an easy out. Networks and their perimeters are vast and complex. More people recognize this today and understand that you can harden every piece of technology – to the point where productivity ends and users tear their hair out – and still get burned by a rogue insider, a third-party contractor who installed unprotected equipment and/or a lucky attacker who loves a challenge.

It’s no coincidence that these “new truths” of the enlightened age touch upon management-driven issues as well as technology. Because there is no “pure” tech fix to eliminate risk with 100 percent certainty. Rather, vendors and decision-makers must acknowledge the meaningful role new technologies and strategies have in helping managers solve different parts of the problem. That includes being able to spot incoming threats more quickly; recover damaged systems faster; and document where vulnerabilities may exist on an ongoing basis. This way, enterprise leaders can truthfully say they are focused on closing any persistent weaknesses.

In the present day, we’re actively reexamining assumptions and “truths” about what it means to be secure. We’re constantly assessing appropriate roles for business and government. We’re weighing the ever-evolving trade-offs to balance the pace of technology and new business models against the “trust factor.”

Fortunately, in the Age of Data Breach Enlightenment, credible perspectives about these topics from Thought Leaders are always in demand. So we encourage you to reach out to us, to find out how our fully integrated communications/PR services can help you make impactful contributions to the conversation.

@TomResau

Tom Resau is a vice president at W2 Communications, focusing on information security communications/PR campaigns for clients.