Information security can be both an enabler and a destroyer of value, writes Michael Harrison, Chairman of Harrison Smith Associates.

What ‘marketing aspects’? Marketing surrounding the ‘e-world’ should be simple – everyone will utilise ‘e’, therefore turn your communications to directing prospects and clients to the appropriate website, and to your email address, and carry on. Why bother about marketing the methodology? Why not stick to marketing your products? ‘Business as usual – just faster and more responsive’, should be the cry. No problem there for the marketing manager? Perhaps – and perhaps not. The trouble with our new ‘e’- communicating society is that it gives us new tools that provide immense power to the user. Why is that a trouble? Because of the word ‘user’, which is not to be confused with the word ‘owner’. This is a new concept and it has not been fully understood even by those who claim to be ‘experts’, because they are ‘IT specialists’ and this is (or should be) a senior management rather than a technical issue. Unless we take proper measures anyone can become the ‘user’, without the ‘owner’ knowing. Most of us have computers. We feel that we ‘own’ our PC – even if our organisations actually paid for them – but unless proper measures are taken we may well be sharing ‘usership’ with others. Either they know everything that we do, or they use part of ‘our’ computer’s power for their purposes; or they come in and alter our information, or are totally destructive, or act ‘merely’ as vandals. Suddenly the marketing manager is looking rather vulnerable, because his/her organisation is vulnerable, and the fallout will be lack of trust and reputation, which leads to brand problems. We all know that good brand reputation is difficult to create, easy to damage, and much more difficult to repair once it is damaged.

And today, damage is far easier to create. Why? In the ‘old days’ when we obtained a new technology, a ‘new tool to help our business’, it was ours to play with – we made the decision about when, if and how to use it. There was no thought that it could bite the hand that bought it. We owned it, we used it, we made the decisions. There was nothing else to say. Equally, in the ‘old days’ (and remember, many organisations are still in these ‘old days’) we believed that ‘an Englishman’s home (business) is his castle’. So we guarded our perimeter like mad – we had locks, bolts, fences, guards, alarm systems, etc – and as long as the perimeter was not breached we felt ‘safe’. Okay, there was always the challenge of the odd rogue member of staff, and the ‘temp’ (or the cleaner, or whoever) who was not exactly what they were supposed to be, but, by and large, we felt secure from external attack, and an insider still had to take the information out of the premises physically, and was thus vulnerable. And if by chance we did find someone ‘up to something’, it was nice and clear and they could be sacked, whether or not we pressed charges. Of course security was important, but it was physical security that worried us – and the police were always there to back us up if our physical perimeter was breached. So what had this to do with marketing? In those days, almost nothing – security was seldom used as a differentiator. If you were handling cash, or high-value items, or drugs or anything with a high ‘street value’, then it was presumed that you had put in the necessary security. ‘Safe as the Bank of England’ was a saying from the past – and more recently there have been advertising campaigns that talk about getting the security of certain groups of companies ‘around you’. Physical security plus financial security – something you could kick and feel and see – providing a nice warm feeling.

You were pretty clear about whether or not your organisation was a ‘target’. You could identify your physical defences and contrast them with the value that an attacker might steal (such as cash, valuables and easily disposable items), or you could decide you were just not worth attacking! In retrospect, a nice, simple life. So marketing in general took security for granted, and certainly did not get directly involved. And please note that ‘security’ meant one thing only: protection from actual physical loss. Therefore, the items were being protected from being stolen, copied or destroyed. But who thought of protecting things from being altered? Or from being kept out of your own reach for a crucial period of time? Also, most items were ‘physical’. Yes of course documents were often involved, especially if they had intrinsic value, but the protection of information was rarely discussed because information was not such a readily available commodity. Today, the ‘e-revolution’ has broken through our parameters. A modern organisation that communicates by email and via the Internet has inserted the equivalent of the M25 straight into itself – and anything can drive along it, unless you have taken the necessary management decisions followed by the necessary technical responses. It is never the other way round: you have to take the information risk management decisions at board level, and then inform the IT department of the criteria against which to work. It is madness to expect the IT people to understand the relative value of each type of information within your organisation and its relative importance in terms of confidentiality, integrity and availability. So what does all this mean for today’s marketing management?

These marketing aspects! You are responsible (on behalf of your board) for the protection and enhancement of your brand. Almost everything stems from that responsibility, because if you allow your brand to be damaged then everything else suffers, and the spiral is downwards, fast! Pre-‘e’ your brand was similarly affected by your reputation. Nothing new there then; except that today someone can affect your reputation (and your brand) from the other side of the world, without actually caring one jot about what they are doing, and at almost zero cost to themselves either in time, resources or actual financial outlay. What is worse, they often do not realise what they are doing to you – they do not understand the consequences of their actions. It is almost as if a baby has been given the controls to a guided-weapons system – it has no concept of what it is doing when it presses the buttons, but the result is as catastrophic as it would be if ‘an expert’ did it deliberately. It is too easy to do damage electronically, and it is made too easy by the very fact that we rely on communicating by a system that was never designed to be secure. The Internet was originally built to allow communication amongst academic groups, known for their preference for sharing information. It was not supposed to be the world’s ‘trusted business backbone’. The other reason why it is too easy to create ‘electronic damage’ is that too many organisations and individuals do not understand why they must take steps to protect their ‘e’- base. They think (if they think about it at all) that it is ‘someone else’s responsibility’. It is seen as a technological issue – even by managers who should know better. Thus, we have a new challenge: the owners of information do not control access to it, whereas the access controllers (the IT management) do not know the relative value and vulnerability of the different types of information flowing round their networks.

Still, there is one overriding issue that is obvious: our most valuable asset today is information. With it we can continue our businesses whatever disasters may happen, whereas without it we are floundering like fish out of water. Therefore it is our information that we must protect, remembering that ‘information’ includes details of every aspect of our organisation, from what we produce, how we produce it (and what we buy to produce it) to why we produce it, details of to whom we sell it and through what channels, at what prices, and using which staff – everything. It is our human resources information, it is our future plans, our patents pending, our next acquisition, our commercial documentation, our websites, our manufacturing settings, our quality controls, our marketing databases… and it is all ‘online’, unless we have made very careful decisions about how we manage it. So we can have the equivalent of our Crown Jewels being unprotected on the equivalent of the M25 in our organisation, and yet we can have ‘virtual armed guards’ protecting something that is in the public domain anyway. It is easy for this to happen, particularly if there is a lack of understanding and communication between IT and the rest of the organisation (especially marketing). Shouldn’t marketing be responsible for such communication? Are we not responsible for everything that can affect the brand? The answer has to be yes; so another marketing aspect of the new ‘e-world’ is that marketing itself must take responsibility for all of these communications. Trust and confidence affect brands, and marketing has responsibility for the brand. Therefore marketing has direct responsibility for ensuring that your organisation promotes and ensures ‘e-trust’ and ‘e-confidence’. Furthermore, marketing must also take responsibility for all internal and external communications on this issue, otherwise they will occur in a piecemeal fashion, undertaken by people who are not trained in communications skills.