Generator Group - Talent Management and Recruiting

Recently, Perkins Coie and Generator Group co-sponsored an attorney led discussion highlighting the legal issues regarding Payments and Privacy Developments for the Retail industry.

Payments:
The issues and challenges are increasing on pace with the advancement of new technology, products and payment methods available. For example, retailers are now offering gift cards that reward points for loyalty or that are sent out in the form of a rebate. The complexity comes into play when retailers have to take into consideration individual State laws regarding expiration dates, breakage and fees for gift cards, unclaimed property, rebate cards and loyalty cards. 

Privacy:
Mobile technology, e-commerce, data storage, and related partnerships also bring along obligations and concerns regarding customer privacy and information security. In addition to a Privacy policy, it is recommended to have a security breach response plan.  John recommended that retailers consider all of the places that customer information resides including: data processors, storage companies, servers, employee's computers and laptops.  The number one source for a breach of information is lost or stolen laptops, but some other stories of insufficient firewalls and other preventable breaches were discussed. The monetary cost to a company responsible for a breach is significant, especially when you consider the cost of a tarnished brand reputation.

Contact Generator Group's technology services team at (888) 621-9934 to tap into our expertise for recruiting your key information security executives. Contact Perkins Coie at (206) 359-8377 for more information on how they can help to protect your business against common payments and privacy issues.

by Jesse Connell

I was at lunch last week with a good friend who is the VP of Risk and a co-worker, the company’s CISO.  While we were mostly catching up we did spend some time talking about PCI and reflected on some interesting examples of attacks and violations relating to PCI.

My thought was why aren’t more companies secure or compliant with this standard, not only to meet looming compliance deadlines but also for the protective benefits?  According to this (slightly dated, sorry!) article.

“Visa has reported that 22 percent of Tier 1 merchants (organizations processing more than 6 million transactions per month) are PCI compliant, and 72 percent are on their way to becoming fully compliant.”  72% are NOT compliant!  Earlier this year MasterCard said 20% of its top-tier merchants had not even submitted plans for compliance.   Also, it is generally accepted that small-mid sized retailers in many cases are at more risk and seem to be doing less about it.  While that may be due to lack of awareness (of real risks) and lack of IS maturity there are also some challenges that have to be overcome.  The article references some of those challenges (legacy and proprietary software, multiple regulations, costs and lingering risks).

As often is the case it boils down to understanding risks, informing / raising awareness internally and making the best decisions for the company.  Knowing the business implications and having the judgment to lead the company down the right path is paramount. 

Information Security…and Company Brand?

by Jesse Connell

A recent ESJ article explored a CMO Council study based on a survey of Corporate Execs, Marketers and Consumers.  It seems clear from this that companies simply are not keeping pace with the impact that information security has on corporate brand.  The crux from a consumer standpoint is trust and in the event of a crisis there are very real financial repercussions.  Impact to a company’s brand is a direct consequence of this.  If trust is broken with your consumers they no longer use your services.  Seems simple, but what is being done?  What business opportunities are being overlooked?

Only half of the 250 execs polled indicated they had a crisis containment plan in place.  The author of the article notes the disconnect “in what marketers believe and what is being done: 60 percent report that security has not become a more significant theme in their company’s messaging and marketing communications. Just 29 percent say their company has a crisis containment plan for security break-ins and failures”.

Interesting.  Many companies are not prepared to communicate effectively in the event of a security crisis, even with the stakes so high.  Of course companies need to manage the negative (crisis communication) but what about the upside?  If you have capable and mature security practices there may be opportunities to leverage that in ways that are not traditionally obvious. 

This seems to be another example of the convergence between that “IT stuff” and the rest of the business.  Convergence is not just Guns/Guards/Gates coming together with logical information security it really has to be a thoughtful collaboration across the entire company.  In many cases there will be a measurable functional business impact relating back to security both positive and negative. 

In this case one can see that Information Security could be a great tool for the Marketing team.  Sell consumers confidence in your organization’s solid security practices, a framework with strong auditing, risk management and privacy controls.  So while the information security group limits risk, the marketing team can leverage the same things in branding efforts as a differentiator. 

This is a great reminder of the largely untapped business potential of security and IT. Still it seems the adoption of thought relating to security convergence and collaboration outside the cubes of IT is slow.  As awareness grows I think this will accelerate but it will require someone at a high level in the company enabling that collaboration.  As with most things worthwhile it’s not easy.

We’ve seen with our Information Security and executive level IT searches that it takes a somewhat special breed of practitioner to really think critically about partnering opportunities within the business.  So it may never be easy but being able to identify, assess and hire the right person can make a big difference.   

What do you do when your network or IP is being attacked? Are defensive measures enough? Or is it time to take the offensive and fight back?

Jeremy Barnaby and Jesse Connell from Generator Group attended the Washington Software Association dinner meeting on this topic on September 20th in Seattle.

The speakers were IT experts and information security thought leaders from the University of Washington Center for Information Assurance and Cybersecurity, Perkins Coie, Microsoft, and Seitel Leeds & Associates.

The issue of “Active Defense” opens a Pandora’s Box of questions and issues.

Among them:
1. How do you know who is attacking you?
2. Once you have identified your attacker, what is the appropriate response?
3. What tools are legal and ethical to use?
4. How much responsibility does the government have to ensure the security of our information?

Jeremy and Jesse reported that the threats posed by this growing security dilemma are huge and costly. The good news is that there are a lot of challenging problems to solve and interesting long term career possibilities fighting information bandits.