About Me

Michelle Dennedy

Michelle Dennedy
Michelle Finneran Dennedy currently serves as VP and Chief Privacy Officer at McAfee. She is responsible for the ...

Read More

Enterprise Blogs

Feeds & Podcasts

Meet the Bloggers

Archive

Tags

#McAfeeFOCUS, #MFETrivia, #SecChat, #SecurityLegos, 12 Scams of Christmas, 2012, 2012 Security Predictions, Acquisition, Advanced Persistent Threat, Android, android antivirus, Android Malware, Android security, android security app, anti-phishing, anti-theft, anti-virus, antivirus, APIs, App Alert, Apple, application blacklisting, application developers, application security, app protection, apps, app safety, ATM scams, attacks, authentication, automotive, Bad Apps, balanced scorecard, best practices, Big Data, Big Security Data, BlackBerry, Blackhat, Black Hat, black hat hackers, botnet, Brazil, breach, Business IT, car hacking, certification, Change Control, China, CISO Executive Summit, Citrix, class action lawsuit, cloud, Cloud city, Cloud computing, Cloud Expo, cloud security, Cofer Black, collaboration, Compliance, Conficker, consolidation, Consumer, consumerization, consumerization of IT, Content Protection, counter identity theft, credit card fraud and protection, credit card skimming, critical infrastructure, CSP, cyber attack, Cybercrime, cyberespionage, Cyber Insurance, Cyber Intelligence Sharing and Protection Act of 2011, cybersecurity, cyber security, cyber security awareness, Cyber Security Mom, cyber threat, cyberthreats, data, database activity monitoring, database security, data breach, data center, Datacenter, data center security, Data Classification, data loss, Data Protection, Dave DeWalt, Dave Marcus, dedicated security appliances, Deep Command, Deep Defender, DeepSAFE, DefCon, DefCon Kids, Department of Commerce, device, Device Control, devices, dewalt, DLP, Dmitri Alperovitch, easter, Eelectric Vehicle, Email & Web Security, Email & Web Security, embedded, embedded devices, Embedded Security, Emerging Markets, Emerging Market Security, EMM, encryption, Endpoint Protection, Endpoint Security, energy, enterprise, enterprise mobility, enterprise resource planning, enterprise scurity, enterprise security, epayment, epo, ePO Deep Command, ePolicy Orchestrator, ERP, ESM, espionage, EV, exploit, exploits, facebook, Facial recongnition, Family Safety, FDCC, file sharing, Financial Security, firewall, FISMA, Fixed Function Devices, Focus, Focus11, FOCUS 2011, forrester, Foundstone, Friday Security Highlights, Garter, Gartner, Gartner Security and Risk Management Summit, George Kurtz, Global Cybersecurity, Global SecurityAlliance Partner Summit, global threat intelligence, google, government, GTI, Hackers, hacking, Hacking Exposed, Hacktivism, HB1140, Healthcare, Heuristics, HIPAA, host intrusion prevention, Host IPS, HV, Hybrid Vehicle, ICS, IDC, identify potential cyber-threats, identity protection, identity theft, IDF 2011, Incident Response, Information leak, Information Protection, Information Security, Information Warfare, Insider Threats, Integrity, intel, intellectual property, Internet Explorer, internet security, Interop, IntruShield, In vehicle Infotainment, IP, iphone, IPS, IT, IT Security, japan earthquake safe donation, japan earthquake scams, kurtz, labs, laptops, Larry Ponemon, law, legal, legal risk, linkedin, live-tweeting, lizamoon, Lockheed Martin, mac, Mac OS X, malware, Malware research, managed security services, Management, Mariposa, mass sql injection, mastercard, Maturity Model, McAfee, McAfee Application Control, McAfee Cloud Security Platform, McAfee Data Loss Prevention, Mcafee DLP, McAfee Email Gateway 7.0, McAfee Enterprise Mobility Management, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Firewall Enterprise, McAfee FOCUS, McAfee FOCUS 2011, McAfee Identity Protection, McAfee Labs, McAfee Mobile Security, McAfee MOVE AV, McAfee Network Security Platform, McAfee NSP, McAfee Policy Auditor, McAfee Risk Advisor, McAfee Security Journal, McAfee Security Management, McAfee Security Webinars, McAfee SiteAdvisor, McAfee Vulnerability Manager, McAfee Vulnerability Manager for Databases, mcafee wavesecure, Microsoft, Microsoft Security Bulletin, Mid-Market, Mobile, mobile antivirus, mobile app, mobile data communications, mobile device, mobile devices, mobile devices and security threats, mobile malware, mobile phone spyware, mobile security, mobile security app, mobile smartphone security, mobiles security, mom, MS12-020, MySQL, NACACS, near field communication, Network Perimeter Security, Network Security, Network Security; Email & Web Security; Security-as-a-Service, network security server security, new year resolution, next-gen IPS, Next Generation IPS, NFC, Night Dragon, NIST, NitroSecurity, OMB, online banking, Open Source, operational risk, Operation Aurora, Optimized, outages, OWASP, passwords, password security, patch, Patch Tuesday, Patmos, PCI, PCI Compliance, PCI DSS, Peer to Peer file sharing, perception, personal information over mobile phones, phishing, PII, Ponemon Institute, PostScript, Potentially unwanted program, power grid, power loss, Pre-detection, Printers, privacy, protection, Public-Private partnerships, Public Sector, pup, QR codes, reference architecture, regulations, reporting, reputational risk, retail, risk, Risk Advisor, Risk and Compliance, Risk Management, ROI, Rookits, Rootkits, RSA, RSA 2012, SaaS, SaaS security solutions, safe searching, Saviynt Access Manager, SCADA, scam, SCAP, SEC Guidance, SecTor, secure cloud computing, secure container, security, Security-as-a-Service, Security and Defense Agenda, security attacks, security awareness, security breach, security conferences, Security Connected, Security Connected Reference Architecture, Security Influence, security management, security metrics, security optimization, security policy, security threats, Sentrigo acquisition, Shady RAT, SharePoint, shortened URLs, SIA Partners, SIEM, SiteAdvisor, Situational Awareness, Small Business, smartphones, smartphone security, SMB, social business, social media, social networking, social networks, Software-as-a-Service, spam, Spearphishing, sql attacks, SQL Injection, State of Security, stealth attack, stealth crimeware, stealth detection, Steve Jobs, storage, Stuxnet, substation, Support, Symbian, T-Mobile, Tablet, tablets, tablet security, targeted attacks, TCO, technology development, Telecommunications, threat reduction, TJX, TPM, Trusted Computing Module, trustedsource, twitter, Twitter online security, U.S. Cyber Challenge Camps, urchin.js, Vericept DLP, ViaForensics, Virtualization, VIrtual Machines, visa, Vontu DLP, vPro, vulnerability, Vulnerability Manager, vulnerability manager for databases, Web 2.0, web protection, web security, Websense DSS, Web services, white hat hackers, Whitelisting, wikileaks, Windows 7, Windows Mobile, Wind River, Xerox, youtube, Zero-Day, zeus
Enterprise : Data Center :

Privacy Matters Blog Series: Quantifying Reputational Risk

Friday, January 6, 2012 at 10:00am by Michelle Dennedy
Michelle Dennedy

There are many kinds of risk: operational, legal, and reputational risk. Most large enterprise IT teams are comfortable and proficient at measuring operational risk. It features in reports as minutes of downtime, incidents of endpoint reimages, number of patches installed, hours of overtime.

Legal risk isn’t that hard to handle, either. IT can draw on peers, auditors, and legal staff for expertise.

However, reputational risk seems to be a far more unfriendly concept. I find technical people typically consider reputation a soft science, a squishy topic that can’t be measured. As a result, IT can’t set goals, gauge progress, or claim success based upon “reputation,” and product creators cannot specify requirements for “reputation.” Because it can’t be managed like other metrics, IT staff and technical business units may ignore or downplay reputational risk’s potential impact on the business—and their roles in protecting it.

IT is missing a gigantic opportunity

I believe you can measure or at lest approximate reputation, applying metrics to the same influences that affect your customers and your C-Suite executives: news headlines and stock prices. If you count the number of published reputation-buffeting events each month—the headlines in the email news summaries you receive from SC Magazine, for example—you can see what the public is talking about, and that dialog will affect the rise and fall of organizational stock prices. Reputation and market sentiment are huge factors in market valuation, which is something your CMO and CFO are tracking. Although your interest may be in the technical security side of the business, you can take actions to measure, manage, or mitigate reputational risk.

Building a Reputational Heat Map

Well before the mortgage crisis was discussed in the public and mainstream press, it was anticipated in whispers at investment community conferences and insider blogs. Eventually, and much too late for most people and the economy, it was covered in USA Today and other mainstream papers on the doormats of hotel rooms coast to coast.

Security issues that affect risk appear first in smaller, insider places, too. Then they migrate to the mainstream, to NPR, the Washington Post, Wired, and Vanity Fair. (Look at Stuxnet references on Wikipedia for a great example of this sequence.) With enough mainstream angst, trends start to register on the regulatory radar—with the European Community, the Federal Trade Commission, and others. We experienced this pattern with behavioral marketing. Privacy advocates raised objections in 2005, well before the FTC published its principles for behavioral marketing in December 2007. We are still seeing news and blog coverage on this topic today as companies experiment and push the envelope leveraging new technologies and relationships.

By the time a security topic attracts a reporter in the mainstream press, you had better have a strategy for that problem. You should be able to brief your boss with an assessment of your business’s risk, including the risk to your reputation.

This assessment is possible, but you need to be selective. Just as you don’t want to read every log entry from your IPS, you don’t want to attempt to assess all topics everywhere on the Net. Instead, think about YOUR audience and what they read—or you wish they would read. Look at two tiers of publications: mainstream media and online influencers, including blogs and news feeds. Sign up for emailed daily updates if they are available from the 3-5 most relevant sources. Also, if there is an “insider” conference, you can look at the session titles and monitor news summaries for perspective on what the industry thinks is hot.

Next, think about what risks would affect your business and its reputation. The tech bloggers today might be talking about SQL injection, advertising dollars, identity theft, or phishing. What is newsworthy for your audience? Would a successful hack at a competitor raise questions about your security? Would regulation banning use of cookies affect your service offerings? If yes, use these ideas to set up RSS feeds.

That’s your pre-work. You should revisit these decisions at least once a year, or when your business or the markets change significantly.

Now, the ongoing process. Your workflow is to:

  • Notice topics that relate to your risks.
  • Count the number of times these topics are mentioned in headlines or news stories. Depending on your work style (and the frequency of the publications you are tracking), you might either jot down mentions as you see them or save these mentions in a file for review monthly.
  • Create a spreadsheet: rows are the topics, columns are the dates. In each cell, note the number of headlines or significant mentions. If you think it’s going to be important, start to capture dates and publications (use links if you can) so you can back up your ideas. (Store this info somewhere else, not in the mention count cell, or you won’t be able to convert to a chart.)
  • Once a month, use the spreadsheet’s charting function to generate a “heat map,” an assessment of which topics have generated the most energy in the news.
  • If a relevant topic has generated significant coverage in insider publications, there’s a good chance it will reach the mainstream press. If you think this might happen, summarize your findings in a concise note to your boss and your security team. Include an overview of what the issue is, what the coverage has been so far, what the impact would be on your business, and what efforts might be appropriate to mitigate these risks.

Voila. You have quantified reputational risk.

Do this well, and you will be prepared if and when you need to discuss ideas with others. Instead of coming in with only technical data about a problem, you can talk with your colleagues in the context of the risk landscape. You look more strategic and more business-oriented. You are doing more, considering more, and recommending risk management efforts that are proportional to security. This position supports IT’s increasing need to do internal selling to non-IT people in order to get the right projects funded.

At a minimum, this exercise will keep your knowledge of the risk landscape current, and you will be more fun at parties. You can talk to non-security people about ideas that they will recognize and explain risks in terms that they can understand. Perhaps you will detect the next “mortgage crisis” level event in time to help a few people avoid its devastation.

Bookmark and Share

Tags: , ,

Comments are temporarily suspended due to blog maintenance, comments will be available again from Monday 21st May.