StorefrontBacktalk

This is page 2 of:

Public Connections? Don’t Follow The Crowd

September 30th, 2009

Although in most cases it would be CIOs, or maybe even Chief Security Officers (CSOs), who would recommend appropriate standards, they are unlikely to be the ones who actually approve the standard. Approval of the security standards is typically done by the business leaders. (Line of business. Black Gold. Texas Tea.)

So when you are dealing with a franchise retail chain, you are likely dealing with hundreds or thousands of different business leaders (franchisees) who all have their opinion about the appropriate level of security and the associated costs. Because the value of different IT security approaches/frameworks is very difficult to quantify, it is very difficult to justify these expenses. What typically happens is that the CIO is forced to “trade down.” Consider this dialogue:

CIO: I recommend that we put a private frame network in every location to increase security and reliability.
Business Leader: That is too expensive.
CIO: OK, although we will definitely lose reliability, what if we went to a VPN-based approach?
Business Leader: Do you really need a private network to process credit card transactions?
CIO: Technically, no, but…
Business Leader: Well, then can’t you just put in a firewall?
CIO: We can, but we lose having a private network, and managing security policy on 1,000 different devices is difficult and time consuming.
Business Leader: You mean you can’t just install some software that will protect us?
CIO: We could install some application firewalls, but now you really leave yourself exposed to potential threats.
Business Leader: It’s settled. Each site will get a new installation of virus protection software. Great talk!

As with most things in IT, at the end of the day it comes down to the business leader making a decision about costs versus value. Unfortunately, in most cases, the true value of IT security will only be understood after an incident that impacts the business leaders occurs. The recent string of IT security breaches at large retailers should have had a greater impact on companies in the industry with the “If it happened to them, then it could happen to us” mentality. But, unfortunately, it did not and likely never will.

Instead, all of the emphasis is put on PCI and the deficiencies in the standards. I believe that this is mostly being done so that a CIO can say, “Hey, it’s not just me thinking this is the right thing to do, it is the standard/regulation/law.” Which takes away the debate.

What do you think? Love it or hate it, I’d love to gain some additional perspectives. Leave a comment, or E-mail me: Todd at Todd.Michaud@FranchiseIT.org.

Posted in IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud, Software, Supply Chain

One Comment | Read Public Connections? Don’t Follow The Crowd

PoS Manager Says:
October 1st, 2009 at 11:54 pm
Something else to ponder in the VPN vs. Internet debate is in compliance responsibility. With a centrally managed option (such as a VPN) the corporation can control and enforce compliance, whereas without such a setting, each franchisee is provided with the tools to become compliant, however, the ultimate responsibility to follow those practices is up to them.

Managing 1000 security policies 1 by 1 is actually impossible and I’d venture much more expensive than a central option if the corporation takes on that role.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.