Designing Security with Brand in Mind

Monday, February 06, 2012

Steven Fox, CISSP, QSA


Does your service delivery process reflect your company brand?

The intangible nature of a brand sometimes defeats our ability to connect it to aspects of our work product and client communications.

We sometimes view a brand in terms of our company’s logo or motto; easily losing sight of the subtext communicated by those symbols.

A brand’s purpose is to communicate a promise to a potential customer. Operational alignment with a brand can be accomplished by focusing on how the company has fulfilled that promise.

According to Gary Moss, chairman of Brand Vista, “real Brand Alignment demands an aligned approach across a brand’s customer service, key company processes, staff training and all the important activities that impact key customer touch-points – not just its marketing communications.”

One of these touch-points is the implicit promise that the security of client information is assured at an acceptable risk level. Why is it important to deliver security services consistent with your brand?

The fundamental archetype created by your brand must be supported by behaviors which confirm its relevance. Performance that is inconsistent with the brand will lead your customers to question your brand promise.

For example, a Los Angeles-based retail chain targeting the Latin American community engaged me to perform a vulnerability assessment and penetration test on their headquarters and sample stores.

During my preparation for the assessment, I analyzed their marketing presence. These materials promoted a business that served their customers honorably and were good stewards of their trust.

My assessment of their store locations, however, revealed default passwords on their Point of Sale terminals and on the servers that communicated financial information to the main office. Additionally, the lack of back office physical safeguards was obvious from the cashier lanes, making it a target.

The lack of consistency between the brand and risk management controls had its greatest impact in the behavior of store employees. Recognizing the lack of policy enforcement and security investments, they began to question their brand promise and their role in its enforcement.

My final report focused on the critical vulnerabilities, descriptions of successful attacks, and screenshots of the assets that could be compromised. Embedded in these observations were references to the literature which communicated their brand and notations of how their security practices were inconsistent with that brand.

These insights, together with the technical details, allowed them to revitalize their security training program and make strategic control investments.

In closing, branding is not just for the marketing department. We are all responsible for shaping and strengthening the brand that promotes the ethos of our work. 

Possibly Related Articles:
General Network->General
Service Provider
Enterprise Security Trust Information Security Infosec Brand Professional Security Solution Service Level Agreement vendors Customers Steven Fox
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.