Security and risk professionals need to rethink their role in the age of the customer, says Manatosh Das, Forrester analyst.
As he notes, today's customers now have more information about and access to competitors than ever before. "Companies that don't take this power seriously will lose out," he writes in the Forrester report on the Five Security Priorities That Asia Pacific Firms Must Address In The Age Of The Customer.
"The time is now for security and risk leaders to become strategic thinkers who innovate and create business value by helping to win, serve, and retain customers," he writes.
"You should have a clear understanding of how important protecting customer information is to your business and be sure to explain this clearly to your customer-facing colleagues."
His first advise, however, is to speak in a language business colleagues can understand: "Don't talk bits and bytes."
This way, you can move from being a technology blocker to a technology enabler, explaining how your efforts support business growth and customer service, he states.
Businesses continue to subject their customers to intrusive, inconvenient authentication processes employing myriad passwords, PINs, tokens -- the modern-day tools of torture.
Das lists the five security priorities for security and risk professionals working towards this goal:
Protect customer data like it is your own
Data is a gold mine for business, and hackers are also looking for new ways to exploit it for financial gain, says Das. He recommends starting by complying with local laws. Global firms in the region generally do not take local regulations seriously enough, he says. Many tech management professionals are unfamiliar with local requirements and simply use guidelines that comply with the EU Data Protection Directive. While this is a good foundation, he says local laws in the region are not aligned to the EU model and penalties for non-compliance are growing.
Improve the customer experience with easier but effective authentication
Tech management organisations constantly struggle to find the right balance between security and convenience, he writes. "Businesses continue to subject their customers to intrusive, inconvenient authentication processes employing myriad passwords, PINs, tokens, and security questions -- the modern-day tools of torture." He recommends: Break away from old user account management technologies and use more adaptive and behaviour-based authentication methods. The approach requires picking up on every possible contextual and behavioural clue about the user, such as the device they are using, its IP address, geolocation and sensor data from the device and the task they are attempting to perform. Google, he says, does a similar risk analysis, using more than 120 variables.
Build a mobile security ecosystem to empower staff
Forrester estimates in the Asia Pacific region, 39 percent of budget decision-makers will prioritise building a mobile strategy for employees this year. "Stop playing constant catch-up with every new device by placing security controls around the lowest common denominator of all of these devices: the apps and the data," he writes. He cites an Indian conglomerate that implemented network encryption, virtualisation in conjunction with mobile device management (MDM), and a strong application wrapper. But it soon realised it had to look beyond devices and "focus on data".
Protect big data and improve your security with big data analytics
Traditional signature-based security products do not work against today's advanced threats, he says. Organisations need to use advanced security analytics and correlations that detect anomalies and deviations from baseline behaviour. At the same time, organisations can consider outsourcing to fill skill-related challenges. "Technology is only part of the solution," he writes. "The other critical part is maintaining a talented set of security and risk professionals that can harden the IT environment and fine-tune security products to accurately identify threats."
Work with the business for more pervasive risk management
Organisations fail when they do not see the full scope of risk and how it is interdependent across the business, he notes. Enterprises that build risk management programs based on narrowly-defined objectives such as Sarbanes-Oxley compliance, data security, or loss prevention often end up viewing risk management as an inhibitor to business. A more value-based perspective of risk management, he states, can be achieved with direct contributions from other business functions.
Send news tips and comments to [email protected]
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz