The way your business approaches security is often viewed as a simple cost-value equation. You may not know that your customers may view you very differently, and the way you approach information security today often influences how the public views your overall integrity, whether they like it or not.

In the early 1990s, the US Customs Service took the handling of information extremely seriously. Policies were periodically reviewed, access and activity continually monitored, and security of both physical and technological information was almost a fanatical exercise in dedication to detail and oversight. However, other than law enforcement, few organizations even considered information security.

Over the past 30 years, I’ve seen some pretty stark differences in how information security is handled in both the public and private sectors. Within each one, the attention paid to it varies significantly. Local governments, for example, often lag far behind the private sector simply because there is an attitude that they don’t need to worry as much about it. A lot of this has to do with simple complacency, but conflicting information from state and federal agencies and compliance requirements are often vague and applied differently each time auditors present themselves.

My observations from the public and private settings have largely been a mix of ambivalence, reluctance, and poorly drafted regulatory mandates. Enforcement and auditing efforts are everywhere for consistency, completeness, and compliance.

An example: the enforcement of CJIS rules in the state of Idaho, for example, is terrible. Getting someone from the state security office is a futile exercise in itself. I once called that office 15 times and waited 4 months for a simple answer when asked for details on the passphrase complexity requirements. IT departments in law enforcement are often left to their own interpretation of CJIS requirements, and frequent changes in the way the state reinterprets CJIS guidelines leaves them struggling to meet the guidelines that are later adopted. delayed for years.

The good news is that over the years, information security measures have grown and matured. The bad news is that this is only happening because recurring corporate and government security breaches have significantly increased public fear.

When Sarbanes-Oxley hit Enron, public companies rushed to meet minimal expectations and called it a victory. Does this answer sound familiar to you? “As long as these checkboxes are completed, I am ready for one more year.” Of course, not all companies took this approach, and that is where the perception of the customer and their perception of their integrity began to take a more prominent role.

One company actually considered antivirus a luxury and stated at a department meeting one day that installing antivirus software would be “something to consider for the future.”

That future became very real just a week later …

Your entire network was infected in a single event. Four days later, 30 technicians working around the clock finally cleaned up the clutter that had spread throughout its five facilities and made a significant impact on its business. Of course, being a Las Vegas casino, public opinion on integrity was already low for the entire industry and public opinion on quality in particular was not really a factor.

Can you imagine someone taking that perspective today? It wasn’t that long ago that more than 100,000 Idaho Medicaid records disappeared, so don’t think it hasn’t happened yet.

Even Idaho Power had to learn the hard way. In his case, a mishandled hard drive became a source of public embarrassment when private customer information made its way onto the Internet. Both cases created a public outcry and difficult questions had to be answered and immediate changes were necessary.

And of course, we can’t have this conversation without mentioning Target, or Yahoo, just to name the most recent companies that have been victimized and that their shortcomings are being exposed very publicly.

These examples highlight cases where a serious dedication to information security and information management could have saved a lot of headaches. To be sure; The perception of those companies by their clients suffered significant setbacks as the level of trust and faith eroded overnight.

Do these examples reflect a failure in the process? Was the application of the regulations lacking? Some would like to blame the regulations for their own failures, and it is very simple to say “We just follow the guidelines.” “We put the [minimum] requirements! “

They may be right and even have met certain minimum guidelines, but breaches in information security can negatively affect its integrity. They can also cause serious repercussions with your clients and even legal action.

When was the last time you did not question the integrity of a company sued for failing to protect information?

Do you consider information security to be a matter of your personal integrity? Should …

Businesses that take it seriously will foster an environment that links the integrity of their business with adherence to effective security policies.

These companies pride themselves on being proactive about how they serve their clients’ interests, and information security shows this in a very personal way. When your client discovers that their health or other private records have been compromised, things get personal very quickly.

Your attention to data security within your business will be seen as a direct reflection of your integrity as a whole, and how your integrity is viewed by the public and potential customers will always be a factor in your decision making, whether or not you do. know it or not.

If information security is still something you “have to do” because you are told you have to or just because some regulation says you have to, then you have missed the point entirely. We must take pride in that responsibility, we must link our own integrity to the way we approach information security.

When you take it personally and always to do better and achieve more, you start doing more than simply meeting and exceeding regulatory guidelines. It also builds trust and encourages your customers to understand that your company has integrity and values ​​them and their information in a way that also becomes personal to them.