When last we wrote about Paris Hilton…actually, we’ve never written about Ms. Hilton and were quite prepared to remain the only magazine in America never to do so. But when her name suddenly cropped up in a number of newspaper stories that also contained phrases like “computer security and forensics teams are investigating,” it was clear her moment had come: she had emerged as a veritable public service announcement for technological vulnerability. Even as she scrambled to apologize to a Who’s Who of celebrity pals, another company, Atlanta-based ChoicePoint, announced that it had failed to discern who was whom among its customer base and had managed to sell personal data on 145,000 people to bogus companies created by an identity-theft ring.
Our cover story on identity theft was well under way before that story broke, and while we knew it would be topical we didn’t know it would be that topical. Nor did we know that our Browser section would be dominated by IT security news (new products, policies, and acquisitions by Microsoft, the arrest of a notorious spammer, the growing problem of lost mobile devices, and related nuggets). In fact, by the time we were ready to go to press, we realized that we had a de facto theme issue on our hands, with computer security meriting at least a mention in almost every story we produced.
We don’t mean to sound alarmist, but what the heck is going on here? The ChoicePoint debacle spawned a rash of news reports including “Hacking Attacks Rarely Made Public, Experts Say” (which cited a 2004 survey that found that only 20 percent of companies report computer- security breaches to authorities) and “Secret Service: Fraud Threatens Economy,” which included, among other tidbits, the good news that while a recent online scam did cost credit-card companies and consumers more than $4 million, the losses could have topped $1 billion if the case had gone uncracked.
Companies have spent heavily on computer security, and most CFOs we surveyed expect that to continue. But CFOs who rubber-stamp those invoices and consider their jobs done risk missing the chance to make a bigger contribution. “Security is a characteristic, not a market,” says Jack Danahy, who is a member of the Treasury Department’s New England Electronic Crime Task Force and of a Department of Homeland Security task force on software security. Like uptime or reliability, security should be an inherent part of every facet of IT infrastructure, versus a discrete (and vast) category of products and services piled onto a computer system to safeguard its contents and control its accessibility.
“I know CFOs are frustrated by the task of deciding how much of which stuff to buy,” says Danahy, who as president and CEO of Ounce Labs sells some of that very stuff. “But they have the knowledge of risk management and a broad understanding of the business that helps their companies address this issue rationally.”
Rationality hinges in large part on what economists call “perfect information,” and with no one able to say what new threats lurk around the corner, perfect information is impossible to come by. But with so much technology vying for precious dollars, sensible strategies depend on C-level executives banding together. Working with your CIO and others to devise a sensible security policy probably won’t land you on Paris Hilton’s speed-dial list, but, as her friends will tell you, privacy is a beautiful thing. —Scott Leibs