The “customer concern” argument for InfoSec is dead

Various news outlets are reporting that TJX has now been named in over 20 law suits, some class action. HarborOne Credit Union has apparently billed TJX $590k for costs and damage to brand .

TJX have reported an increase in sales of 5% according to Reuters yesterday. Analysts ere apparently expecting 3.9% so on that basis it has out performed market expectations.

TJX’s share price dipped by over 2.5% at one point after the two announcements.

What does this all mean?

Well, customers don’t care, revenue is up. I can’t find any details about profit levels and it is possible that TJX slashed their prices to “buy” the customer. However, if that is the case, they it’s simply a case of price compensates for poor security. If TJX did not slash their prices, then the consumer simply doesn’t care .

So, as an organisation, you can be shown to lose over 45 million credit card details, cause at least $8M worth of fraud transactions and still increase sales.

Surely, this means that one of the staple arguments for InfoSec, that of “Brand Protection” is dead and buried. No one cares.

That said, the share price dipped by over 2.5% after the announcements. Was that due to “poor” trading or because of the law suits? The results have outstripped analysts’ expectations so it doesn’t appear to be poor trading. This could suggest that the longer term effects of the law suits and the impact on profit levels from all the associated costs might be playing on shareholder’s minds.

I don’t know but the interesting point this raises is that maybe us Security Professionals have been trying to sell the wrong issue. Perhaps we should be selling “shareholder confidence protection” and not “consumer confidence protection”.

Worth thinking about, I reckon.

Maybe some progress at last.....

Well, well.... Maybe we’re getting somewhere. If you’ve read my previous posts you’ll know that there isn’t much support at my company for InfoSec in general let alone any specific requirements and I’ve been trying to find alternative ways of getting educating people. It looks like some of it has struck home.

The HR bod in charge of the company’s weekly newsletter has asked me to write a piece on “that InfoSec stuff you keep going on about” for the newsletter. I’ve agreed (obviously) and have said I’ll do a personal profile as well. Most of the directors have written profiles in the last few weeks so I’m jumping on that bandwagon!!!

Next, the company recently employed a Service Delivery Manager (SDM) to work within the IT department. This was a major step in the right direction as far as I was concerned as under the previous IT Director, there was no understanding of “service” at all. In the past, the IT department appeared to have an attitude of “we’re allowing you to work” rather than “we’re enabling you to work”. The SDM have been making quite a number of good changes not least of which was the identification (after a little prompting from me) that our corporate data had no owners. Network directories and folders were used and abused by anyone and everyone. People were added to email distribution lists and given access to “restricted” folders etc. etc. without any sort or authorisation process.

So, the SDM has kicked off a process to review the way access permissions are requested, authorised and granted and has invited me and the Support Manager to a meeting to discuss it.

This is progress. Hurrahh!!

I just wonder why people have accepted his statements that such measure are necessary but rejected my previous statements along the same lines. I’m not going to complain about it, it just interests me why the difference in response.

I suspect it’s a question of him being on the “inside” of IT and me being on the “outside”. If that’s the case, I just have to find other “insiders” to educate with a view to them raising issues for me, without them realising it, of course.

The difference between business people and InfoSec people

OK, so TJX’s Q1 results apparently show “no noticeable decline in customer numbers” since the data breach. In this article an analyst from Avondale Partners is quoted as saying:-


"It still looks like there has been no meaningful fallout from the data systems breach as it relates to customer traffic," said Patrick McKeever, an analyst with Avondale Partners. "They did pretty well, all things considered."


The “they did pretty well” approach is a real problem in the InfoSec arena in my opinion. Short sighted and blinkered views of the “hear and now” are the domain of business people. They look at “today’s” results with “today’s” profits and “today’s” performance. InfoSec looks at “tomorrow’s” vulnerabilities, “tomorrow’s” threats and “tomorrow’s” attacks.

Basically, business people look at what IS happening, InfoSec people look at what MIGHT happen.

Maybe this is one of the fundamental reasons why business and InfoSec rarely see eye to eye without a very enlightened business person and a very enlightened InfoSec person at either end.