The CSO’s New Role: Guarding Company Reputation

March 10, 2015

The highly-publicized data breaches of 2014 changed the role of corporate security professionals as we know it. Now, more than ever, security IT issues have high-priority business impact and, as a result, companies face tougher expectations around protecting individuals affected by a data breach. This puts chief security officers in the spotlight for major security lapses. CSOs are no longer making only security decisions, but as part of their new “normal,” they are also entrusted with protecting a company’s brand reputation.

CSOs have a tough job. The data breach preparedness and response landscape has changed rapidly in a short period of time. Widespread adoption of new technologies from cloud storage, to mobile payment systems and the Internet of Things (IoT) has introduced new risk considerations to an already complicated field. And the good news doesn’t end there. The situation will likely get worse before it gets better – with an increase in cloud data breaches anticipated this year.

The rise of security incidents has shifted breach response to be one of the most trying tests of brand reputation and customer loyalty. To confront this situation in a world where breaches are realistically inevitable, CSOs should be involved with their companies’ incident response and customer communication plans as well as other areas of preparedness including employee security training and the adoption of a cyber insurance policy.

When faced with breach preparedness and response, CSO’s roles have moved beyond simply protecting data to be the driving force of consumer protection efforts as well. Following a breach, affected parties are demanding more from companies. In fact, according to a consumer survey from the Ponemon Institute, transparency is one of the most important aspects of data breach notification. Sixty-seven percent of consumer respondents expect companies to explain the risks or harms that may be incurred as a result of a breach, and more than half expect the breached company to disclose all facts about an incident.

In addition to being essential to maintaining corporate reputation, consumer protection is quickly shifting to become a compliance issue as well. Regulators and consumers alike are increasingly looking to businesses to protect customers against the impact of security incidents. An industry survey found 63 percent of consumers believe organizations should be obligated to provide identity theft protection after a breach, and many state attorneys general agree. On both local and national levels, proposed legislation is incorporating consumer protection. New cybersecurity law is being discussed at a federal level, and 47 states have introduced their own data breach notification requirements for companies. There is also ongoing dialogue around the kind of protection being offered and what the baseline is for adequate services such as having access to your credit report or receiving proactive monitoring vs. just fraud resolution assistance after the fact, leaving consumers on their own accord to catch fraud themselves.

Everyone’s role has evolved in light of the surge in data breaches. Security executives, in particular, are in the hot seat and must adapt to more pressure to keep data secure and increased scrutiny when a breach occurs. This is certainly understandable. In today’s climate, they are ultimately one of the major lines of a defense to protect a company’s reputation.

Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.