When the data being collected is of a personal nature, this security discussion becomes more about privacy than traditional IT security. You are making a choice as a company to collect data about your customers, about your employees, and probably business partners to improve your business. The question Ginni puts out into the market is key, is the value you provide back to those audiences worth their providing you that information, and are you genuinely concerned about their privacy and trust as symbolized by your company.
Privacy, as compared to overall security, is a little different so let’s take a walk on a non-computer example.
You are visiting a friend or family member. You go to the restroom and there is the medicine cabinet. At this moment, there is an opportunity to open that door and peak inside. You are curious, we all have moments of intrigue or curiosity, that we know opening that door may not be appropriate. At this moment there is a reward for opening the door: You satisfy your curiosity of what is being kept behind the door. The risk is obvious, you are risking a relationship, a friendship and honestly you may discover information that would change your opinion of them. But, by opening the door, you have for all practical purposes jeopardized the trust of the person whose medicine cabinet door you opened and if they were aware their trust in your personally may be irreparable.
My thoughts are evolving as many of yours are, with regards to this new era of internet commerce, social media, and mobile. When you open up these “cabinets of information” because you can access them are you considering all of the ramifications of viewing, collecting and storing information?
I keep coming back to three questions that should be asked, when considering how you collect and handle personal information:
- Is there a key REWARD, to your business to collect and store specific personal information about your customers, employees and is that reward shared with those whose data you collect?
- Is that value greater than the RISK of loss of that data to your competitors, thieves, or potential government agencies requesting it?
- Does it truly increase the TRUST and strength of your relationship with that customer or person?
Let's take the medicine chest example into the Internet of things. Facebook, as reported in the press, will and wants the permission to turn the microphone on your phone through their mobile apps. The REWARD is that Facebook will learn even more about me to better target services and advertising. There is an inherent RISK here. Facebook won't just hear what music I listen to, but truthfully everything within the capability of that microphone to pick up will now be stored on a Facebook server. There is a risk that information could be leaked., and the question of increasing TRUST in their relationship with their customers and users is key.
There is also, and interesting twist, if what I am doing is not legal then all of a sudden there is incriminating evidence all across the Facebook servers that law enforcement could leverage. Is the reward to Facebook to collect that data so valued to them and their customers that they are willing to take that risk? Frankly does it really increase the level of trust between them and their end customer or as one might surmise decrease it. What if there is a violent crime being committed at a given moment, and Facebook has permission to be monitoring my phone and could have alerted the police and chooses to do neither?
As you look at these questions, they are not that new, just more complex. These topics and how companies protect their own information, collect necessary information from their customers and ecosystem while protecting the privacy and trust of these constituents has been going on since the beginning of computers, networks, and were heightened in the 90’s around ecommerce and the dawn of the Internet. In the 90's I led the discussion at IBM Internet Executive Briefing center focused on these same security issues that varied in intensity based on country, industry and varied regulations.
The challenge as we continue to accelerate the change to society around mobility, social media, and growing digital information is to assure we all take into account the seriousness of these choices beyond just the business value.
What you should do, and how you proceed, should follow the wise guidance of Ginni Rometty and remember these choices not only effect the privacy of your company, your customers and employees, but also the trust and value entrusted to your company's brand and reputation