June 16, 2013 By Peter Allor 3 min read

Many would say that reputational risk is something that only the private sector should be concerned with, and that for the federal government it’s not really a big issue. But in today’s digital age, with citizens dialing in to social networking and on-demand consumerization from any device at any time, I think we need to adjust that thinking.

The Administration has directed all Federal Agencies and Departments to have two mobile apps or smart device-capable Web sites this year.  I think you get where I am going.   The change is that we all expect that services from the government are ready, safe and secure.   And that is what reputational risk is all about.

It is the ubiquitous connectivity from multiple device types and the movement to the cloud that provides change, and with it a shift in how we respond securely.   Done poorly and noted by hackers, the ensuing attack greatly impacts ones reputation.

What do I mean by reputation and how is it measured?

As you’ll learn by reading through the recently released study commissioned by IBM and conducted by the Economist Intelligence Unit who interviewed 427 senior executives, three forces drive their reputation: best in class service, customer engagement, and trusted-partner status.

Note for those in the federal sector that each of these point to how well the citizens view your ability to provide information, services, and are trust-worthy with their information. And that is key when it comes to whether or not you can you defend the nation, let alone ensure that the electricity stays on and transportation works and ATMs function. After all, if the government doesn’t work what will?

How is IT central to this?

Well, technology is the common thread in delivering these services and hence many see that preventing the problem goes a long way in protecting the ‘brand’.

Unfortunately, due to many circumstances and issues around our economic challenges, this leaves us with the attitude of ‘let’s wait for an incident to happen so we can justify the expense mentality’.  But can you really take the damage to your reputation that cavalierly?  This isn’t just about losing connectivity for continuity of business, but also includes data theft and breaches.

Three IT areas to minimize reputational risk

As reputational risk is really an everyone problem across all sectors, I think I should at least point out from the study three IT areas that align with the business drivers we all should concentrate on to minimize risk from becoming a response situation.

1. Incident response

First, is IT security with many organizations focusing on accomplishing tasks in the future (read after an incident)?

If you look at the past several X-Force Threat Reports, you will note that SQL Injection is always listed.  In fact, when I wrote the first X-Force Threat report in 2002, it was on the list then.   I point this problem out only because we have known of this attack vector for a long time. And looking at who is writing apps and making mobile Web sites with this common problem that hackers frequently use as a starting point, you can immediately see we have not dented this issue at all. Organizations are not even ready to respond, as they have no incident response plan or team identified.

2. Business continuity

Second is business continuity. I think many of us see that having the business running is a good thing. But we fail to see it as a reputational risk.

If the ‘lights’ are not on, will a customer just go somewhere else? Will they consider you reliable, safe and secure? With social media, can you hope that no one tweets you out and survive with an intact brand?

3. Technical support

Finally, technical support demonstrates your reputation most succinctly. We all recall that if we get great technical support, instead of what might have been a nasty complaint, we consume it as ‘they were on the ball and doing all they can to assist me’.

We all have experienced it, yet, this is an area that many are not focused on as part of the reputation.   It is the difference between a good organization and a great one.

Reputational risk is a serious matter of “trust” and “leadership” that any organization or agency that is watching out for our best interest or for our business needs to fully manage.

After all, your reputational risk reflects our reputations as either citizens or consumers of your services or goods.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today