The CSO’s New Role: Guarding Company Reputation

March 10, 2015

The highly-publicized data breaches of 2014 changed the role of corporate security professionals as we know it. Now, more than ever, security IT issues have high-priority business impact and, as a result, companies face tougher expectations around protecting individuals affected by a data breach. This puts chief security officers in the spotlight for major security lapses. CSOs are no longer making only security decisions, but as part of their new “normal,” they are also entrusted with protecting a company’s brand reputation.

CSOs have a tough job. The data breach preparedness and response landscape has changed rapidly in a short period of time. Widespread adoption of new technologies from cloud storage, to mobile payment systems and the Internet of Things (IoT) has introduced new risk considerations to an already complicated field. And the good news doesn’t end there. The situation will likely get worse before it gets better – with an increase in cloud data breaches anticipated this year.

The rise of security incidents has shifted breach response to be one of the most trying tests of brand reputation and customer loyalty. To confront this situation in a world where breaches are realistically inevitable, CSOs should be involved with their companies’ incident response and customer communication plans as well as other areas of preparedness including employee security training and the adoption of a cyber insurance policy.

When faced with breach preparedness and response, CSO’s roles have moved beyond simply protecting data to be the driving force of consumer protection efforts as well. Following a breach, affected parties are demanding more from companies. In fact, according to a consumer survey from the Ponemon Institute, transparency is one of the most important aspects of data breach notification. Sixty-seven percent of consumer respondents expect companies to explain the risks or harms that may be incurred as a result of a breach, and more than half expect the breached company to disclose all facts about an incident.

In addition to being essential to maintaining corporate reputation, consumer protection is quickly shifting to become a compliance issue as well. Regulators and consumers alike are increasingly looking to businesses to protect customers against the impact of security incidents. An industry survey found 63 percent of consumers believe organizations should be obligated to provide identity theft protection after a breach, and many state attorneys general agree. On both local and national levels, proposed legislation is incorporating consumer protection. New cybersecurity law is being discussed at a federal level, and 47 states have introduced their own data breach notification requirements for companies. There is also ongoing dialogue around the kind of protection being offered and what the baseline is for adequate services such as having access to your credit report or receiving proactive monitoring vs. just fraud resolution assistance after the fact, leaving consumers on their own accord to catch fraud themselves.

Everyone’s role has evolved in light of the surge in data breaches. Security executives, in particular, are in the hot seat and must adapt to more pressure to keep data secure and increased scrutiny when a breach occurs. This is certainly understandable. In today’s climate, they are ultimately one of the major lines of a defense to protect a company’s reputation.

Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Right now, in the pandemic environment, business leaders are balancing internal priorities – managing cost and impacts to productivity – with market and external priorities like government requirements, customer needs, and perceived standards of safety and health.

Security Magazine

2020 August

This month in Security magazine, we examine how physical security leaders are being propelled into a unique position of revenue preservers and risk managers for their businesses. In addition, we profile Scott Ashworth, Director of Security for Atlanta United. Also, security leaders discuss how to develop cybersecurity careers, election security, data protection strategies, measuring and reporting security operations maturity and more!

View More Create Account

The CSO’s New Role: Guarding Company Reputation

Recent Articles by Michael Bruemmer

Companies are Failing to Get Ahead of the GDPR

Combating Complacency: Getting the Most Out of Your Data Breach Response Plan

Top 5 Fails from Companies Preparing for and Responding to a Data Breach

Dispelling the Dangerous Myth of Data Breach Fatigue

3 Factors to Employee Data Loss Preparedness

Security Magazine

2020 August

The CSO’s New Role: Guarding Company Reputation

Recent Articles by Michael Bruemmer

Related Articles

Related Products

Report Abusive Comment