Every day, business managers and IT execs risk their reputations by taking insecure systems and vulnerable applications to market
Do you really need 5 reasons? I don’t think so. But it serves to illustrate my point that you wouldn’t knowingly push out a new product or service knowing that it has security vulnerabilities or privacy weaknesses. Now that we agree on that, let me be clear that ‘rushing’ a product to market is perfectly acceptable as long as critical operational steps are not skipped. In fact, it may be recommended to ship as soon as possible not just to remain competitive but also to maintain a tempo of achievement that helps preserve employee morale and corporate pride.
But would you skip functional testing only to introduce a product that would embarrass the organization? You’d be a fool to also omit basic activities such as supplier agreements, safety testing, launch announcements and a mechanism for supporting the new initiative.
So why would you launch a great new Web site without adequately ensuring its security? How about a member database without privacy settings to protect individual accounts? A corporate voice mail system without security testing? Check. An exotic car dealership without adequate physical security? Check. A new version of air traffic control software – or pizza ordering system for that matter – without proper security and privacy testing? Check.
How to lay the foundation of a simple risk management process
Practically everything we can imagine is somehow dependent on information, that intangible asset that can give you a competitive edge or destroy your organization. So having the information risk process in place to conduct proper testing throughout your product’s lifecycle is the easiest way to mitigate the risk.
Implement a testing process of functional verification that is performed by people other than the ones who set it up. Secondly, ensure that those people are not just random but professionals qualified to undertake and report on such activities. Third, verify that they are trustworthy and accountable for their findings.
Why bother with security and privacy in the first place?
Naturally, the above are all great reasons to seek independent assurance of degree to which your new system, product, Website, process or application will expose you and your company to risk. But why would you want all new initiatives reviewed for security and privacy in the first place?
Daily news headlines are replete with catastrophically embarrassing events that damage business reputations and expose individuals to privacy breaches. No one wants to be responsible for hurting their company or its clients, but it seems that it keeps happening because managers and directors, owners and executives have little to no frame of reference as to when to request a professional risk assessment of their products and services. Would you ever launch a product knowing that it was faulty or vulnerable? Of course not. But what makes you think you’re qualified to determine what the risk of a breach will be?
Without further ado, here are 5 ways to know when you need to demand a professional risk assessment report:
- If your system has touchpoints to sensitive information, then you absolutely need to know the risk. Try to request a quantitative analysis as well as a qualitative one, and take the time to get all your questions answered.
- If your company name is on it, your reputation is on the line. If the personal information of individuals is involved, the privacy impact assessment (PIA) should be your tool of choice. Find a reputable certified privacy professional (CIPP) and make sure you get a meaningful final report.
- If you know that you’d better test it, then get it done. Conducting a proper check-up makes you look good. Getting a fluffy, automated one may trivialize the undertaking and demonstrate a lack of commitment on your part. You can’t risk looking irresponsible because it will impact the legitimacy of every other part of your business.
- Emerging threats. Every single day, criminals try to extract value out of available systems. Your job as a leader or influencer is to protect your assets against compromise. By skipping risk assessment or adequate security management you’re giving up before you even start, endangering your company and its client base.
- Compliance. It’s an important part of doing business. It telegraphs that you take the time to demonstrate, point by point, how all the key risk areas are addressed by your new system. It’s an easy way to show that you’re compliant with industry regulations, laws and standards. Whether they are PCI-DSS, Bill 198, PIPEDA, PHIPA or workplace safety regulations, get to know the requirements and earn that compliance because it will pay off in spades.
I continue to be surprised at the arrogance of many managers to argue that the new software they’re launching has no bearing on their compliance, reputation or security. If that were so, then the new product would have no importance and no value, making even a basic investment in its launch pointless. Worse yet are those instances where website visitors and clients point out obvious flaws in security only to be placated by apathetic customer service reps (or managers).
Demonstrating blatant disregard for security and privacy is not a good way to make headlines. Take the time to conduct regular impact analysis to preserve the security and privacy of your company. It is well worth your time and investment.