Data security managers need a healthy dose of the LP/security culture.
I've followed the recent onslaught of news stories about retail data security breaches with interest. There are many strong and loud opinions on who's responsible for securing data and who's to 'pay the piper' when systems are hacked. Some say the retailer is responsible. Others say the retailer is the victim. Some say the industry can self-regulate the problem. Others are calling for legislative action. Some seek to protect the retailer. Others seek to protect the consumer. It seems the only thing we can all agree on is that hackers are bad.
Customer-Focused: When Convenient?
An industry that depends on attracting and converting consumers has to accept responsibility for their personal security on many levels. Your customers trust that you're holding their personal information dearly, and they should rightfully hold you responsible if it falls out of your control, especially if it lands in the wrong hands. I talk to retailers every day. They all claim to make decisions — merchandising, customer service, and so on — based on the customer's best interests. They all claim to put the customer first. That is, until someone kicks a hole in the firewall and makes off with thousands of credit card numbers. Then retailers have a tendency to blame the intruder and seek protection from responsibility, leaving the now ex-customer in the throes of a long plight to recover money and financial identity.
That's why the entire retail enterprise can learn a lesson from the retail LP/security community. There are no raging public debates about physical security in retail. There's no federal legislation calling for DVR (digital video recorder) and door lock standards. None is necessary — retail loss and risk prevention professionals are used to working in a litigious environment. They're good at identifying and removing hazardous situations in the brick-and-mortar world. They guard against slip-and-fall incidents. They protect high-dollar merchandise. They use technology (e.g. DVRs, exception reporting software, and biometrics) and physical security to lock down stores. And when their loss prevention systems fail, they generally accept responsibility, secure the perimeter, and prevent the loss from happening again.
The determination of who's ultimately responsible for data security in retail is still shaking out. Is it the IT department? Is the LP group responsible? Or, is it operations? The short answer is that everyone who handles data is responsible for its security, which translates to just about everyone from the cashier to the CEO. It's well past time for retailers to give data security — particularly consumer data security — the same kind of attention the LP folks give physical security.