Sign up for a CDC Gaming Reports Premium Subscription trial!

Commentaries

Data Breaches: Time to Think Differently

By Marcus Clarke, Principal at REDW

For nearly two decades, I’ve been deeply immersed in computer security. No, I’m not a shrouded figure in hoodie – I wear business attire because my job has been to help law-abiding organizations stay safe. I’m not a hacker of either color, but as a former programmer, I am technician at heart. My real passion is risk, in particular cyber-risk. For most of my career in security, I ran a small boutique firm that offered risk-averse organizations managed security services. These services focused on preventive technology, as well as monitoring availability, performance and security. The guiding principle in those days was prevention, and my value to our clients was to help them balance risk and cost. I would help them understand their risks, especially those of availability and confidentiality, and then help them determine their risk appetite (or tolerance). Once these were understood and evaluated, I would propose the appropriate level of our services to their executives. This worked very well until I sold the company several years ago.

Today, I’m really, really glad I’m not in that business. Why? Because even unlimited amounts of expertise and technology will not prevent a data breach. According to recent data from Forrester Research, 53% of all organizations suffered a data breach in 2016. With those numbers, you’d have better odds in Vegas. Playing the devil’s advocate for a moment, I might speculate that those 47% who didn’t get breached are those who invested more in better prevention.

However, the fact remains that the number of organizations who have never been breached is evener closer to zero.

The takeaway it is now more important to invest in resiliency than prevention. The cost of the sophisticated technology and the hard-to-find skills required to run a top cybersecurity prevention effort are far greater than the simple steps needed to build the resilience you need. Your budget should ensure preventative measures that meet or exceed the best practices of your peers, but spending a whole lot more isn’t the best move. Instead, focus on cyber-resiliency – your ability to rapidly and effectively respond to a data breach in such a manner that the cost and reputation damage is minimized.

Surprisingly, a reportable data breach even presents an opportunity to respond in such a way that your reputation not only doesn’t take a hit, but is actually enhanced. These days, even the best prepared organizations are breached, so there’s no shame in that. Unless of course, you are found negligent. If you can respond more quickly, and more empathically – demonstrating that you genuinely care about your customers, they will not only defend you but promote you in the many conversations that follow the fallout.

Many years ago, a business partner shared some sage advice with me. I was upset because I wanted to deliver a perfect experience to every client and I just couldn’t seem to make it happen. He said that customer loyalty is not built through success, but rather how you handle problems. “When you show up, resolve the problem, help them recover quickly, they know they can count on you when the going gets rough. That’s what builds loyalty.” This was a very valuable lesson for me, because instead of trying to perfect something that wasn’t fully in my control, I could control every bit of my response. From that day on, I no longer dreaded a failure, but saw it as an opportunity to build the relationship. Dealing with a reportable data breach is no picnic, but with the right preparation, it can actually be an opportunity to distinguish yourself from everyone else.