Do we value better security? That's a fair question. I know my readers do, but I'm talking about the population in general. Computer malware has been around almost as long as computers have been. Even in the earliest days, the biggest "iron" that completely filled large rooms, with only dummy terminals attached, had to worry about computer worms and viruses. I've written about this extensively in the past, including some opening chapters in a few of my books, but Wikipedia has a short summary about the history of malware.
As computer software security awareness has spread (back in the original days of the PC, computer viruses were considered an urban legend and declared so by national computer magazines), networking and software complexity has increased to a point that user awareness just cannot keep up. If you look at facts and figures, it is clear that we aren't winning the war against malicious computer acts. It's quite the opposite. Evidence shows that it is continuing to get worse and few announced solutions appear suited to change that trend anytime soon, though I have hope.
C-level employees and managers certainly care about security. The increasingly regulated business environment, in which they can actually be held personally accountable to state agencies and law enforcement, makes many of them care. But in truth, many only care to the extent that security is carried out to prevent significant decreases in stock price or customer market share.
Sadly, it doesn't appear that shareholders or market share are impacted that much, even by significant computer security events. There is no better example than that of the TJ Maxx security breach. An international group of professional hackers instigated a security event so big that it stole tens of millions of customer's financial data, resulted in over a hundred million dollars in losses, and continues to be held as the ultimate example of what can happen to corporations to this day by security consultants.
So, did that breach materially affect TJ Maxx's stock price and customer base? Some news reports on the TJ Maxx incident would have you believe so. This article reports the following events:
- $118 - $135 million in charges related to the massive security breach
- Continued international negative media exposure
- Drop in share price and future charges against future earnings
- A class action lawsuit has been filed seeking an addition tens of millions of dollars in damages
Another article on the TJ Maxx breach said the following: "That 1.7 percent decrease in TJX's stock price is in line with the percentage price drops for other companies that have announced similar security breaches. A study by Emory University and the Ponemon Institute found that when a company announces a security breach, its stock price drops between 0.6 percent and 2.1 percent."
Now a 1-2 percent drop in share price may not seem like much, but TJ Maxx is a $10 Billion dollar company. Do the math. It's huge money we are talking about. You cannot find a single security event that directly affected more customers or caused more commercial loss. Certainly shareholders and customers paid attention ... but maybe not. TJ Maxx's stock price outperformed the S&P and Dow stock indices by 20-40 percent since the breach and damages were disclosed. Even in today's recessionary market, TJ Maxx continues to outperform the market. It has lost less than the vast majority of companies in the market today. And the customers have spoken. TJ Maxx's net sales from continuing operations for the second quarter of fiscal year 2008 increased 9 percent to $4.3 billion.
And I don't mean to pick on TJ Maxx. I like their products as much as the next guy, and my family continues to shop there. I'm not the pot calling the kettle black. I am the kettle.
But this does point out that even the largest security event on record, really didn't cause long-term significant impact to the company that neglected their security defenses (as do many, many companies). It didn't even cause a change in buying habits by a guy that is unique familiar with the problem.
If security really was a significant market share factor, lots of companies wouldn't be doing as well as they are. The most popular software installed on most people's PCs today also has the most known vulnerabilities (as can be expected because popularity brings malicious attention), and people continue to install it.
Even the Windows versus Linux versus Apple wars don't evidence any different conclusion. Everyone loves to hate Microsoft (my full-time employer) because of its past perceived lack of security fitness. But even during its questionable security past, marketshare grew substantially, and you could even argue the opposite. Using Security Development Lifecycle (SDL) programming techniques Microsoft has significantly driven down the number of security bugs in their products (no disputing this), and spent the last few years releasing their most secure operating system to date, Vista. And User Account Control (UAC), Vista's most noticeable security improvement, is the most complained about feature in the product by orders of magnitude. Now, you can complain what UAC does and how it works, but using it does measurably increase your PC's security. And people hate it and many turn it off. Vista, Microsoft's first operating system built with an intense focus on security, is being more slowly adopted than expected.
Looking at vulnerability counts alone, Linux and Apple aren't doing any better than Microsoft. In fact, most metrics show both products containing far more security exploits than Microsoft Windows, but Apple's market share is growing by leaps and bounds. Apple's Quicktime and iTunes products are among the most frequently patched products in the world, but nearly everyone continues to use them. And I can show you dozens of similar statistics. So much for security as a market differentiator.
I'm not saying that better computer security isn't desirable. Heck, I think it is absolutely necessary to the continued growth of our civilization. I'm not even saying that ignoring security saves money. Certainly it would have been cheaper for TJ Maxx to implement best practice computer security for less than an hundred million dollars. But what I
Security officers need to understand this lesson. Security is laudable goal until it measurably slows down end-users or interrupts operations. Ignore this understanding and you'll certainly hear from management and your customers. Computer security employees are a necessary evil, like accountants, which doesn't bother me because both are paid well. But a successful marketer will make more money.
It's like high-speed wireless Internet access in a hotel. It used to be that Internet access in a hotel was a great selling point. It was something the hotel could advertise about and charge premium dollars for. Now, in most hotels, it's expected and given away for free. It doesn't even have to be that high-speed. It's not like most hotel customers (of which I am a frequent guest), will pay significantly more for the "best" high-speed Internet access, if a much cheaper hotel offers some adequate Internet access for less.
This is yet another frustrating point about our jobs. Everyone supposedly cares a lot about computer security, but the penalties for not implementing good computer security are rarely measurable long term and can never override customer satisfaction and sales.
.jpg)
0 comments:
Post a Comment