Federal Reputational Risk and IT Security – Not Just a Private Sector Problem

June 16, 2013
| |
3 min read

Many would say that reputational risk is something that only the private sector should be concerned with, and that for the federal government it’s not really a big issue. But in today’s digital age, with citizens dialing in to social networking and on-demand consumerization from any device at any time, I think we need to adjust that thinking.

The Administration has directed all Federal Agencies and Departments to have two mobile apps or smart device-capable Web sites this year.  I think you get where I am going.   The change is that we all expect that services from the government are ready, safe and secure.   And that is what reputational risk is all about.

It is the ubiquitous connectivity from multiple device types and the movement to the cloud that provides change, and with it a shift in how we respond securely.   Done poorly and noted by hackers, the ensuing attack greatly impacts ones reputation.

What do I mean by reputation and how is it measured?

As you’ll learn by reading through the recently released study commissioned by IBM and conducted by the Economist Intelligence Unit who interviewed 427 senior executives, three forces drive their reputation: best in class service, customer engagement, and trusted-partner status.

Note for those in the federal sector that each of these point to how well the citizens view your ability to provide information, services, and are trust-worthy with their information. And that is key when it comes to whether or not you can you defend the nation, let alone ensure that the electricity stays on and transportation works and ATMs function. After all, if the government doesn’t work what will?

How is IT central to this?

Well, technology is the common thread in delivering these services and hence many see that preventing the problem goes a long way in protecting the ‘brand’.

Unfortunately, due to many circumstances and issues around our economic challenges, this leaves us with the attitude of ‘let’s wait for an incident to happen so we can justify the expense mentality’.  But can you really take the damage to your reputation that cavalierly?  This isn’t just about losing connectivity for continuity of business, but also includes data theft and breaches.

Three IT areas to minimize reputational risk

As reputational risk is really an everyone problem across all sectors, I think I should at least point out from the study three IT areas that align with the business drivers we all should concentrate on to minimize risk from becoming a response situation.

1. Incident response

First, is IT security with many organizations focusing on accomplishing tasks in the future (read after an incident)?

If you look at the past several X-Force Threat Reports, you will note that SQL Injection is always listed.  In fact, when I wrote the first X-Force Threat report in 2002, it was on the list then.   I point this problem out only because we have known of this attack vector for a long time. And looking at who is writing apps and making mobile Web sites with this common problem that hackers frequently use as a starting point, you can immediately see we have not dented this issue at all. Organizations are not even ready to respond, as they have no incident response plan or team identified.

2. Business continuity

Second is business continuity. I think many of us see that having the business running is a good thing. But we fail to see it as a reputational risk.

If the ‘lights’ are not on, will a customer just go somewhere else? Will they consider you reliable, safe and secure? With social media, can you hope that no one tweets you out and survive with an intact brand?

3. Technical support

Finally, technical support demonstrates your reputation most succinctly. We all recall that if we get great technical support, instead of what might have been a nasty complaint, we consume it as ‘they were on the ball and doing all they can to assist me’.

We all have experienced it, yet, this is an area that many are not focused on as part of the reputation.   It is the difference between a good organization and a great one.

Reputational risk is a serious matter of “trust” and “leadership” that any organization or agency that is watching out for our best interest or for our business needs to fully manage.

After all, your reputational risk reflects our reputations as either citizens or consumers of your services or goods.

Tags: 
 |  | 
Peter Allor
Federal Security Strategist, IBM Security

Peter Allor is a Security Strategist on cyber incident & vulnerability handling, where he assists in guiding the company’s overall security initiatives...
read more