Forget security and privacy: Focus on trust

Security and privacy are bad words with bad histories, evoking bad connotations with most enterprise stakeholders. For companies to succeed at safeguarding their data, these words must go away. Here's why:

Information security and privacy protections as we know them today are a response to the ills that have befallen enterprises over time. Enterprises experience a problem or incident and don't want it to happen again, so they find the most practical way to eliminate it or mitigate against it. As a result, security and privacy practices tend to be restrictive. Furthermore, there seems to be no natural home for security or privacy in the corporate hierarchy. Every organization uniquely figures out where best to place them-so long as the chief executive doesn't have to be too bothered.

As a consequence, neither security nor privacy has been associated with the positives of most institutions or with their strategically important initiatives. They are clearly not viewed as activities that will help enterprises gain market position, enhance their reputations or provide competitive advantage. Money and investments focused on security and privacy are most often viewed as insurance premiums-to be kept to a minimum consistent with the negative risk experience of each institution. Such spending is certainly not perceived as an investment for winning stakeholders, sustaining excellence or achieving market leadership.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Security and privacy are bad words with bad histories, evoking bad connotations with most enterprise stakeholders. For companies to succeed at safeguarding their data, these words must go away. Here's why:

Information security and privacy protections as we know them today are a response to the ills that have befallen enterprises over time. Enterprises experience a problem or incident and don't want it to happen again, so they find the most practical way to eliminate it or mitigate against it. As a result, security and privacy practices tend to be restrictive. Furthermore, there seems to be no natural home for security or privacy in the corporate hierarchy. Every organization uniquely figures out where best to place them-so long as the chief executive doesn't have to be too bothered.

As a consequence, neither security nor privacy has been associated with the positives of most institutions or with their strategically important initiatives. They are clearly not viewed as activities that will help enterprises gain market position, enhance their reputations or provide competitive advantage. Money and investments focused on security and privacy are most often viewed as insurance premiums-to be kept to a minimum consistent with the negative risk experience of each institution. Such spending is certainly not perceived as an investment for winning stakeholders, sustaining excellence or achieving market leadership.

But today's world, where an increasing majority of institutions do business online using telecommunications networks that span the globe, security and privacy protections expressed in negative terms don't make the grade. Enterprises need a positive approach that positions avoidance and mitigation of information security and privacy risks as built-in elements of their business model. They must adopt an approach based on winning the trust of all stakeholders-customers, employees, channel partners, contractors, vendors and shareholders all. Trust means stakeholders feel safe in the hands of these enterprises and are confident in the secure delivery of their products and services along with protection of their private information.

In fact, trust is good business and is a good business practice.

How companies secure trust

Given the status of security and privacy today, the CIO is most often anointed as enterprise information security and privacy champion. Therefore, CIOs should lead the enterprise to a trust-based business model. The first step is to rethink how the business can engage all stakeholders in a secure and private manner through its technology-supported business processes.

Trust must be earned every day through consistent operational excellence, which includes leading-edge information protection. When stakeholders' experiences with an institution consistently meet or exceed their expectations, these experiences build awareness, then breed familiarity and finally, earn trust-which inevitably translates into profit. In this way, trust undergirds enduring success.