It is a fairly common refrain in information security to suggest that we are "protecting the brand" when asked what value we return to an enterprise. In most cases, I am skeptical, primarily because it is such a vague and ambiguous notion. And secondarily, because I think it is b.s. We operate in a much more specific space, one usually consumed by viruses, worms, spam and other malware that require janitors to clean up.
Of course, there are those cases when brand DOES matter. Here are a few of those circumstances:
- When someone other than the security pro says that security "protects the brand."
- When the brand is recognizable to its customers.
- When the compromise of the brand has a direct impact on revenue, as in the case of ecommerce companies.
- When there are many similar alternatives, i.e. the differentiation is minimal and competition is heavy.
- When the CISO holds a senior organizational position within the organization.
Another way to illustrate the question and challenge of brand value is to go through the thought exercise of trying to name the last half-dozen or so public compromises. It can be a very difficult task.
Lately, there have been compromises against Wells Fargo, T-Mobile, the FBI, and SAIC, as well as a number of others. So in order to be protecting the brand, these compromises should have affected brand value. I tend to believe the degradation of brand value is probably short-lived at best and perhaps non-existent.
One other way to tell whether brand matters: If you are at a company where brand really does matter – say at one of the "Top 100 brand" companies that BusinessWeek identifies each year – you just know it. Justification is not required. (Alternatively, if you find yourself screaming to anyone who will listen how important brand is and feel like it falls upon deaf ears, you are the wrong person to be doing that job, and brand doesn’t matter to that organization).
Hi Pete—
The comment “When someone other than the security pro says that security ‘protects the brand’” made me laugh. A vendor I know (who shall remain nameless) recently showed me an “ROI” tool that attempted to calculate the value of brand dilution after a hack. The justification used was that oft-cited study about how stock prices go down ~5% after a public hack.
What CRAP. I hate stuff like that. It’s just FUD FUD FUD used to sell products.
But of course, I’m just preaching to the choir.
See you at RSA next week? –Andy
Well, I guess I will see you at RSA, though my tenses are all mixed up because I can’t figure out how to review my comments, so now RSA is over.
Yes, I don’t rule out brand value, but I find it very, very unlikely. There have been a couple of studies regarding stock prices with varying results. The thing about stock price is that rebounds are common.