The SailPoint team is out in Las Vegas this week, exhibiting at the IBM Pulse conference. I’m happy to say that attendance is quite healthy, despite the tough economy – around 4,000 according to the show organizers (of course this includes IBM staff) – and the SailPoint booth has been very busy. Many of us are former Tivolians, so it’s been fun to catch up with some of our old friends and colleagues.
IBM really knows how to put on a show. CBS’ Forrest Sawyer kicked off the opening session, which featured a presentation by Jim Haney, the CIO of Harley-Davidson. Jim, dressed in biker garb, talked about how Tivoli service management is helping H-D better serve its customers and dealers. Jim showed a video of customers and dealers talking about their passion for all things Harley-Davidson. It’s obvious that the company enjoys not just brand loyalty, but brand passion. (There aren’t many brands that people will tattoo on their bodies – am I right?)
Speaking of corporate brands, I just read a Forbes article on the latest Ponemon Institute study on the cost of data breaches. According to the article, the cost of lost customer loyalty is on the rise compared to other data breach costs. While costs for detection, notification of victims and credit monitoring services all fell during the last year, the cost of lost business grew an average of 8.5%, as customers stopped dealing with businesses they considered negligent with regard to data security. According to Larry Ponemon, “people really do care when organizations screw up and lose their data” and will leave one brand for another based on decreased trust. This study was conducted in the UK, but I’d guess that its findings apply fairly well to other geographies.
I’m skeptical of the view that security investments require a hard ROI, so it will be interesting to see how this survey data gets used. This type of quantitative data is very useful, however, for risk management – it can help managers make business-level tradeoffs about security costs vs. the adverse consequences of not investing. If you are able to quantify consequences and to estimate the likelihood of a threat occurring, it’s easier to justify spending to mitigate or avoid the risk of data breaches. (For those of you interested in how to quantify threat likelihood around identity management, I refer you to SailPoint’s identity risk model, which assigns risk scores based on user access to sensitive applications and data, policy violations, and proof of management oversight over a user’s access.)
Anything that improves an organization’s risk management discipline is a good thing! What do you think?