Breaches and Consequences: Thoughts On A Way Forward for the Email Community – Part 2

Dave Lewis
Apr. 18, 2011 by Dave Lewis

What I want to talk about here is how we move forward in addressing data security — more precisely, a framework for addressing the issue, not the particulars. First, I’m pleased to see various industry organizations mobilizing to form task forces, etc. to address this challenge — DMA, ESPC, MAAWG, OTA, etc. And equally impressive are the companies that have rushed to publish prescriptive advice (and even product solutions) for better management of customer data. Whether we totally agree with what’s being proposed is immaterial. It’s constructive movement in the right direction.

The framework I see for addressing this challenge is threefold:

  • 1. Rally the industry and articulate data security/best practice guidelines
  • 2. Encourage companies to apply those guidelines within their own environments
  • 3. Provide a collaboration forum for companies to discuss common threats and share best security practices

Importantly, we need to engage all stakeholders (enterprises as well as service, technology and application providers) and different disciplines (marketing, business managers, IT/Ops, security specialists, etc.). Given this spectrum of stakeholders and disciplines, it’s unlikely that any one industry organization can serve as our single forum or voice. Their different memberships, agendas and perspectives make this unlikely anyway.

Nonetheless, that shouldn’t prevent us from closing ranks and collaborating across industry organizations to address a critical issue of common concern. And in doing so, leverage the diversity of viewpoints that these organizations represent to rally different constituencies within the industry to address the challenge at hand. Because while no single organization ‘owns’ the issue, all own the solution and will share in the outcome, good or bad. So I’d say let the DMA rally the marketing community and make the connection between customer data security, brand integrity and customer loyalty. And allow the OTA and other groups mobilize IT/Ops and other constituents.

Let’s coordinate our efforts as best we can, but not worry too much about overlapping (even competitive) jurisdictions or agendas or being in lock-step on the statements issued. The important point to remember is that the ‘enemy’ is not each other but one who is attacking us all (our entire ecosystem), and that enemy thrives in our inaction.

The other point I want to make is on the ‘guidelines’ different organizations and companies seem intent on issuing. Don’t get me wrong, prescriptive advice in the area of data security is desperately needed. But I do have two concerns. First, we can’t allow any security checklist to become just an RFP check box — something that allows for a ‘wink and nod’ response to security concerns. The security examination needs to run much deeper and the commitment to being a good data custodian can’t be superficial. As others have observed, we need to create a culture of security. Second, we can’t allow any such checklist to become a competitive club, though those that don’t comply should be clubbed. I’m not naïve here — we compete with each other and data security will be a focal point of every sales cycle henceforth. However, data security breaches impact us all, and in hearing about them on the news, customers don’t differentiate between one company or provider and the next. We all get tarred with the same dirty brush. So using this issue as a competitive ploy, while probably unavoidable to some degree, carries risk to us all. My appeal is that we collectively focus on solving this long-term threat to our industry, and less on the short term gain to be had by twisting it to our individual advantage. I’m concerned about some of the self-serving commentary that’s already been issued.

Of course, the real heavy lifting in addressing data security must be done within companies — enterprises and service providers, in particular — in mapping their data flows from capture and storage to transmission and usage and the practices associated with each. And then it must extended to cross-company relationships and involve technology and application providers too. Necessarily, this work is specific to each company and needs to be shielded from public view. However, there will come a point where we’ll need a forum for sharing the best business and technical practices that emerge from that work. We will need the kind of collaboration that occurs between members of the receiver community at MAAWG — a private, competitive-free zone for comparing notes and assessing threats. At this point, I’m not suggesting it be any particular organization or even just one — only that as an industry we will need such a forum.

1 Comment

Related Content

5 Best Practices for Security Notifications

Learn the 5 best practices for security notification emails that product teams can use to build user trust and confidence.

read more

What GoT’s Casterly Rock Can Tell SaaS About Email Security

The defenses and vulnerabilities of castles in Game of Thrones should be a warning for SaaS providers about phishing and email security.

read more

Getting Started with SparkPost in Java

A quick and easy guide on how to use the SparkPost Java Client Library to integrate with SparkPost to allow users to send emails faster.

read more

Start sending email in minutes!

The world’s most powerful email delivery solution is now yours in a developer-friendly, quick to set up cloud service. Open a SparkPost account today and get started for free.

Get Started

Send this to a friend