It’s a toss-up as to whether retailer card breaches or NSA activity is the hotter news story of the day. So far, 2014 has seen its fair share of security news and if the security industry wasn’t mentioned by an everyday-Joe in the past, it is now.
The everyday-Joe reference is people who are not in security or IT for that matter. They are our parents, friends, and coworkers. They are watching the news, reading Twitter posts, and trying to understand what’s going on. They are on the outside, looking in, to the world of information security.
While the NSA stories are interesting, to the average person, retailer credit card breaches are hitting closer to home.
Why? They’re part of our lives and we use them every day and can’t imagine life without them. Cards are promoted in advertising where they poke fun at someone who pays cash. Sure, go ahead and write a check at Starbucks for a latte on Monday morning and see if the person behind you doesn’t breathe a deep sigh. Cards are a convenience and what’s more, when we use them, it doesn’t feel like we paid for anything. Americans love their cards, so much that the average US household credit card debt is $15,270, according to Nerd Wallet.
As the holiday’s came to a close in 2013 and people went back to their normal lives, it became apparent how much of a role emotion plays as a result of a breach. Yes, there’s technical and legal, but for the average person, this is personal. New cards began arriving and cardholders then had to update payment information with every merchant who stored their card number. What a pain!
Over the course of a couple weeks, consumers have responded with comments that further illustrate their frustration and lack of understanding as to how something as simple as protecting their card is. Through the lens of the cardholder, they don’t understand how something like this can happen. Cardholders are not wrong to think this way. The point being made here is that there is a very big disconnect between cardholder expectations and security teams.
To help explain this, the following cardholder comments have been said or written during the past week relating to card breaches.
“Damn you, Target. Having a hard time feeling sorry for them. Knowing retailers and their watchful eye on margins, could this have been avoided if they invested in proper security solutions? Makes me wonder.” – SVP, Internet Data Analytics Company
“Wow, how could they not detect this?” – Director, Risk Management
“Someone wasn’t doing their job.” – Project Manager
“They need to put up a better firewall.” – CEO, Financial Legislation Association
No matter which side of the fence you are on, it is hard to argue their passion behind their statements, even if they don’t understand how it works.
The lack of understanding from both sides seems to be more evident than ever. Cardholders don’t understand the current threat landscape, and security teams don’t understand the viewpoint of the cardholder. What’s worse, management and security teams are not more connected and engaged having proactive security and business conversations. Security teams need to begin perfecting the ability to effectively communicate and engage with management, something security consultant Michael Santarcangelo addresses very well.
Security professionals should use this opportunity to observe and learn from the events and begin engaging with business leaders on the topic of security. Even if your business does not manage payment cards, there’s some valuable asset worth protecting, or there wouldn’t be a business. As long as security incidents continue to make the front page, there will be more interest into the world of information security and we will be relied upon to provide clear communication which can be understood at all levels.