Infosec experts to consumers: You’ve got the power

Consumers need to use their buying power to send a message that they value security, experts said Saturday during a panel at the 2018 South by Southwest Interactive Conference in Austin.

The panel, dubbed “Welcome to the ‘Internet of Threats’” intended to break down concerns in a rapidly-changing security landscape where more and more devices are being connected to the internet.  These devices sometimes have no reason to be connected to the internet and often come from companies that have spent little time considering privacy or security matters.

“How many of you are quite used to seeing something in the news around a data breach, or product that was insecure?” said John Gift, director of information security at Domino’s Pizza, during the panel.  “A lot of these organizations, they do recover relatively quickly, which is a great thing, but… understand your power with regards to: if something does happen and you go back and you still buy these products, then are we really sending the message that security’s important?”

Gift said he wants to “empower the user” to say “we’re not going to purchase products that may be insecure.”

Having customers vote with their wallets is often an action that makes companies change their processes. Gift, who led Target Corp.’s security operations center after their high-profile data breach in 2013, said Target lost customer traffic after the incident that exposed 40 million customer debit and credit card accounts.

“What happened right after the breach is people were going with cash. A lot of people weren’t comfortable going [to the stores],” Gift said. “Consumers spoke and said ‘We don’t trust this brand.’ ”

The brand responded by investing “$100 million or so on information security to make sure that it was beefed up,” he said.

Consumers also need to ask companies what exactly an internet-connected device is doing, said Tom Pageler, chief security officer and chief risk officer at Neustar, Inc.

“We should be demanding that they tell us that,” Pageler said. “I’m sure that people have an Alexa device in your house, what’s it really doing? How much is it listening? Is it recording?”

Gift said companies have started to realize security is important and are working integrate it from a product’s inception.

Security professionals are “in the executive suite,” and they are getting the money they want, Pageler said.

“There’s been times where they want to give me money that I’m like ‘Look, I shouldn’t have the money,’” he said, adding that he tells leadership to give the money to operations to fix other problems.

“I can actually get money for the operations team to do what they need from a security angle,” he said.

It can be difficult, though, for security professionals to explain to executives that the company is still going to have to take on some risk, said Earl Crane, co-founder and CEO of Emergent Network Defense.

“That’s hard to get across to other executives where they say ‘Here’s the risk, don’t end up on the front page or you’re going to get fired,’ ” he said. “The ‘front page of the newspaper’ metric isn’t the right metric to use because we have to be pushing the envelope for competitiveness.”