I recently started listening to “The Portable MBA”, which me reflecting on the business implications of information security. None of what I write below seems new or enlightening; I thought this might spark some interesting discussions and also serve to sharpen my own thoughts.
Business managers need to take risks. Indeed, the fundamental tenants of being in business require risk taking. Generally, these are financial risks and impact investors and directly related parties. For instance, hiring or not hiring another worker is a risk, as is buying a new piece of equipment.
Think for a moment about a piece of manufacturing equipment: once purchased and installed, a business manager generally needs to pay to maintain the equipment to keep it functioning.
The manager can, however, cut back on time and money spent on maintaining the equipment. For a while, this decision will improve profits. Eventually, however, the equipment will stop operating as it should, causing reduced production. The attempt to save money through inadequate maintenance financially hurts both the firm and the manager through lower sales and possibly higher repair costs than those saved originally.
This is sort of tradeoff is very common in business and managers are constantly seeking the optimal level of operational overhead: too much wastes money that could be used for more profitable purposes and too little creates eventual productivity and production problems.
These decisions by the business manager impact those with a stake in the company such as investors, bankers, owners, shareholders and even employees. To some extent, customers are impacted as well, since such decisions may impact prices or availability.
Data security is an odd case considering the above background. As it pertains to securing customer data, the investment decisions made by a business manager directly impact the customers whose data may be stolen, but only indirectly impacts the firm itself. The data may not even belong to the customers of the firm, but rather several layers removed.
This seems to present a conflict of interest: what incentive does a manger have to protect customer data? There appears to be a few likely reasons:
- Government regulatory actions
- Lawsuits from customers or other impacted parties
- Reduced revenues due to customer rejection
- Sense of responsibility
One might argue that the free market will reward those firms who act responsibly and punish those that act irresponsibly. On a sufficiently long timeline, that may happen. Recent events appear to indicate that losing customer data does not cause companies to go out of business, and may not even significantly impact customer demand or loyalty.
An interesting attribute is that in the context of information security, the firm that loses the data isn’t the bad actor. The firm is itself victim.
All of this makes me wonder: is the responsibility for storing sensitive data simply incongruent with the objectives of a profit-driven company?
Is it reasonable to expect such companies to invest in security, including potentially reduced productivity of employees, to avoid the possibility of losing sensitive data? Clearly some companies take the responsibility incredibly seriously, but many others do not and the market forces, to date, don’t seem to be punishing the irresponsible parties (much).