In this video, Kip Boyle explains why achieving your customers’ expectations is a major goal of an information security program. Discover some key tools and strategies for meeting expectations.
- [Instructor] Achieving our customer's expectations is one of the four major goals of an information security program. Businesses need the trust of their customers in order to remain viable. One of the many negative consequences of a breach of confidential customer data is abnormal customer churn. Customers will leave you just for violating this sacred trust. To be clear, this is a loss of customers above and beyond the normal loss that all businesses experience.
According to the 2016 Cost of Data Breach Study conducted by the Ponemon Institute, the rate of abnormal churn for financial firms can be as high as 6.2%. You can see the rest of the industries here. Trust is also a cultural phenomenon, so you can expect higher abnormal churn in France, Japan, and Italy, but lots of countries have measurable amounts of sensitivity. So, your customers are trusting you with their data. Let's review what that means within the context of the three goals of information security.
First, confidentiality means you are protecting the information customers share with you, such as their own personally identifiable information or those of their customers. Second, integrity means that the information your customers share with you will not become corrupt before you make decisions based on it or when they access it again. And availability means that the products and services you sell will be available whenever they're needed, such as a bill payment portal or shipment tracking.
The failure of your information security program can result in big losses for your customers. Here's an example. In September of 2010, a server failure forced Virgin Australia Airlines, formerly Virgin Blue, to resort to manual check-in. This resulted in more than 100 canceled flights affecting 100,000 passengers. The airline itself lost over 20 million dollars in revenue.
There were emotional and financial consequences for those passengers who missed their flights, and some of them will stop flying with Virgin either temporarily or permanently, which is where abnormal churn comes from. In order to meet your customer's expectations, you need to know what they expect. Your company makes confidentiality, integrity, and availability promises to your customers in the contracts they sign with your organization. Customers also count on your company to obey the laws and regulations related to information and cyber security.
For some companies, knowing what you've promised to customers is easy to determine, because you offer a standard contract to everyone, like a software company or mobile phone provider that sells to consumers. For other companies, customer promises are negotiated on a deal-by-deal basis, such as a business selling highly customized services to another one. To keep customer promises about information security, there are three specific activities your program needs to practice.
First, perform an initial review of all customer contracts. You might only have enough time to review the major ones, or you might only need to review the standard contracts whenever they change. But once you know what promises you're making, incorporate these requirements into your daily operations. Finally, give prompt notification whenever you fail to meet customer requirements. This probably seems risky and dangerous to do, and it may be, but it's even more risky to not say anything if it happens.
If you violate your customer's trust, eventually someone will find out, and when they do, you'll have a much tougher problem on your hands.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance