Why is business still plagued by poor data security? Why do we constantly read stories about security breaches, data theft and customer lawsuits stemming from confidential information getting lost or falling into the wrong hands? I say it’s because many enterprise managers view security as the method for protecting their information infrastructure, rather than focusing on the protection of the data itself. Organisations, and their clients, are better served when management and staff establish a “culture of security,” protecting valuable data and infrastructure resources.

An ever-growing growing percentage of computer crimes are being committed by professional “criminals” who steal market-valued sensitive data – e.g. credit card data and customer identities. Sometimes the criminals are inside an enterprise; sometimes insiders and outsiders work together to steal and resell valuable company data, as we’ve seen recently in reports on call centre fraudsters in India and Scotland.

Corporate executives, for the most part, continue to be more “reactive” than “proactive” when it comes to securing critical corporate and customer data. When security breaches such as those of ChoicePoint, Bank of America and AOL make headlines, the mandate “keep us out of the press” is handed down to security managers. The mandate frequently carries no additional budget to deliver the security that is required for the task at hand.


The cost of security breaches has, for years, been calculated based on the direct cost of remediation. However, classic models to determine the appropriate level of security spending were developed before companies had to publish press releases whenever they had a security breach. As industry regulations and laws become ever more explicit in terms of best-practice security procedures, so do potential liabilities. Plus we must factor in damage to company brands, declines in stock price, customer loss ( and the legal and notification costs) --.This all means that adequate funding for data security measures become a recognised cost of doing business.

Even as more companies develop increasingly detailed security policies and hire compliance officers, security managers continue to report that the regulations and security policies are not translating into behavioural change. If anything, security managers report only sporadic enforcement of security policies and growing confusion related to the ownership of the data protection problem in some larger enterprises. In some organisations, there are many different departments and teams which own some part of the data security/privacy problem, with the result being difficulty in reaching decisions and deploying technology and process change.