What I want to talk about here is how we move forward in addressing data security — more precisely, a framework for addressing the issue, not the particulars. First, I’m pleased to see various industry organizations mobilizing to form task forces, etc. to address this challenge — DMA, ESPC, MAAWG, OTA, etc. And equally impressive are the companies that have rushed to publish prescriptive advice (and even product solutions) for better management of customer data. Whether we totally agree with what’s being proposed is immaterial. It’s constructive movement in the right direction.
The framework I see for addressing this challenge is threefold:
- 1. Rally the industry and articulate data security/best practice guidelines
- 2. Encourage companies to apply those guidelines within their own environments
- 3. Provide a collaboration forum for companies to discuss common threats and share best security practices
Importantly, we need to engage all stakeholders (enterprises as well as service, technology and application providers) and different disciplines (marketing, business managers, IT/Ops, security specialists, etc.). Given this spectrum of stakeholders and disciplines, it’s unlikely that any one industry organization can serve as our single forum or voice. Their different memberships, agendas and perspectives make this unlikely anyway.
Nonetheless, that shouldn’t prevent us from closing ranks and collaborating across industry organizations to address a critical issue of common concern. And in doing so, leverage the diversity of viewpoints that these organizations represent to rally different constituencies within the industry to address the challenge at hand. Because while no single organization ‘owns’ the issue, all own the solution and will share in the outcome, good or bad. So I’d say let the DMA rally the marketing community and make the connection between customer data security, brand integrity and customer loyalty. And allow the OTA and other groups mobilize IT/Ops and other constituents.
Let’s coordinate our efforts as best we can, but not worry too much about overlapping (even competitive) jurisdictions or agendas or being in lock-step on the statements issued. The important point to remember is that the ‘enemy’ is not each other but one who is attacking us all (our entire ecosystem), and that enemy thrives in our inaction.
The other point I want to make is on the ‘guidelines’ different organizations and companies seem intent on issuing. Don’t get me wrong, prescriptive advice in the area of data security is desperately needed. But I do have two concerns. First, we can’t allow any security checklist to become just an RFP check box — something that allows for a ‘wink and nod’ response to security concerns. The security examination needs to run much deeper and the commitment to being a good data custodian can’t be superficial. As others have observed, we need to create a culture of security. Second, we can’t allow any such checklist to become a competitive club, though those that don’t comply should be clubbed. I’m not naïve here — we compete with each other and data security will be a focal point of every sales cycle henceforth. However, data security breaches impact us all, and in hearing about them on the news, customers don’t differentiate between one company or provider and the next. We all get tarred with the same dirty brush. So using this issue as a competitive ploy, while probably unavoidable to some degree, carries risk to us all. My appeal is that we collectively focus on solving this long-term threat to our industry, and less on the short term gain to be had by twisting it to our individual advantage. I’m concerned about some of the self-serving commentary that’s already been issued.
Of course, the real heavy lifting in addressing data security must be done within companies — enterprises and service providers, in particular — in mapping their data flows from capture and storage to transmission and usage and the practices associated with each. And then it must extended to cross-company relationships and involve technology and application providers too. Necessarily, this work is specific to each company and needs to be shielded from public view. However, there will come a point where we’ll need a forum for sharing the best business and technical practices that emerge from that work. We will need the kind of collaboration that occurs between members of the receiver community at MAAWG — a private, competitive-free zone for comparing notes and assessing threats. At this point, I’m not suggesting it be any particular organization or even just one — only that as an industry we will need such a forum.