My buddy George at InformationWeek suggests that security breaches have negative impact on the brand. The notion of a “brand” is something I find very interesting wrt security, if only that I have heard many, many times from security folks that what we are doing is “protecting the brand” or some similar assertion to George’s.

I frequently find the reference to brand a bit specious and my first inclination is to point out that if the security person is the only one worried about brand value, then brand value doesn’t really matter to the organization in question. If you think about it, most companies just aren’t important enough, or big enough, or global enough, or whatever to have a brand that matters. I do believe there are a handful of companies whose brand actually matters, but they are few and far between. Check out the annual Interbrand “Best Global Brands” report for a great starting point.

One of the challenges with discussing impact to brand is its ambiguous nature. The brand is sort of like organization reputation except whuffie points don’t actually matter directly to an organization. Maybe I should refine things a bit to focus on profit-generating entities. They care about… profit. That is, current and future revenue generation as offset by current and future expenses. So, to the extent that brand impacts current and future revenue and expenses, then I am onboard that it matters. But I suggest we show our work in terms of current and future revenue and expenses instead of brand.