David Puzas talks about preserving reputations
When information technology fails or suffers a security breach, it can cripple production, sales or even accounts payable. But, says David Puzas, it also eviscerates a company's reputation. And that's an expensive—and often prolonged—injury. A recent IBM study found that IT particularly influences customer satisfaction, compliance and brand reputation.
"It's very common to turn on the news and see that a business has been compromised,” says Puzas, who is IBM's worldwide marketing executive for enterprise and workplace services. And such news is no longer confined to business reporting. With Twitter, Facebook and other social media, customers are quick to report any problems and vent their dissatisfaction. Their discontent can linger in social media long after the immediate problem has been remedied. More than 20 percent of web site outages can affect a reputation for up to a year, according to IBM research.
The result can be acute financial pain. One well-publicized breach of an online gaming company resulted in losses estimated at $3.6 billion, Puzas says. “Consumers speak with their money. They can choose to take their business to a competitor in a heartbeat, especially if the perception is that there are concerns with doing business with the affected company."
Of course social and mobile media also offer opportunities to business. Yet, the more a company tries to embrace emerging technologies–social media, the cloud and BYOD (bring your own device)–and integrate them into its marketing and sales, the more openings it creates for security breaches. The same polarity characterizes today's more tightly linked supply chains.
"There are so many ways that businesses are trying to touch the marketplace," says Puzas. "And that places a tremendous burden on the IT staff. Unfortunately, most IT budgets are either flat or down. For organizations that want to take advantage of emerging technologies, the need to do it securely should at least represent table stakes.
"It's almost common sense," he continues. "Building secure applications requires more of an investment in time and staff . Many organizations don't think they have the resources or simply can't wait. Plus, there's a massive shortage of people with skills around security. So many enterprises shortcut security and decide 'It'll never happen to me.'"
In fact, many companies know their IT risk level is high. According to IBM's study, "Reputational risk and IT," 80 percent of businesses rate their reputation as "excellent" or "very good.” But only 17 percent of those surveyed rate their company’s overall ability to manage IT risk as "very strong."
"Our response to this is a must-do list of 10 essential practices (see sidebar) that we use at IBM to secure our own business, one of the largest infrastructures in the world," says Puzas. "You'd be surprised at how many organizations don't implement these essential practices.
"You want to manage against vulnerabilities. The key is the ability to prevent damage before it occurs. IBM provides the ability to be proactive and to identify potential risk. But you also need to be prepared in event an incident does occur. That means identifying a risk as it happens and discovering who is behind any attacks. In many cases, we're been able to come in and stop an attack in progress.
"Protecting your reputation comes down to a few key actions. Be aware. Do a risk security assessment so you know what needs work and can set priorities. Be proactive. Manage against vulnerabilities, especially sophisticated attacks, through real-time protection. And be prepared. Have an incident response plan so you can respond quickly and remediate any breach."