Gartner Blog Network

Security and Privacy Remain Doomed with the Rise of Digital Business

by Paul Proctor  |  February 20, 2014  |  1 Comment

You think Target was a big deal? Get ready for more of the same thanks to the attitudes and understanding of consumers and corporate leadership.

The cultural disconnect between business decision makers and technology risk remains epic. They still believe this is a technical problem, handled by technical people, buried in IT. You don’t need to look any further than this report by NPR on digital startups and security at CES by Aarti Shahani (@aarti411).

In the piece, one startup CEO for a wearable that is gathering sensitive health information says, “So what kind of security you will need with your own sleep and wellness data, which is stored in your own mobile device?”

I get the fact that he is focusing on feature and function because he has limited resources, but c’mon man! He was being interviewed by a national radio program and demonstrated complete ignorance of the security risk. This is not some thoughtful trade-off, or strategy, this is pure ignorance.

This is a CEO who, if he is successful with his company, will be wondering later why he has to invest in all this “security” stuff. Didn’t he hire people to take care of this? Did he hire the wrong people?

Or worse, after his wearable gadget leads to the compromise of millions of people’s personal health information, will he feel responsible, or just scramble to find a way to save his company?

Has he signed off on the privacy language on the website with equal lack of knowledge? The FTC loves to hold companies liable who carelessly promise security to consumers and fail to deliver.

With such wanton ignorance, will he skip any consideration of public-cloud related risk when he decides that’s a great new strategy that will benefit his customers and his shareholders?

In another story on NPR by Dan Charles (@nprdancharles) about sensitive information in the cloud, the focus is on both customer knowledge and corporate decision making. This is a story about farmers allowing the big agricultural companies like Monsanto and John Deere to gather sensitive, detailed information on their entire cycle of crop management. There are questions posed about cloud security, farmer knowledge of technical risks, and the use of the data to potentially manipulate markets.

The farmer says (I’m paraphrasing): “I don’t have a problem with them gathering this information. They’re my partner.” The companies say: “We will always protect the information and we would never share it or manipulate markets.” Does this tune sound familiar?

I’m explicitly not calling into question Monsanto or John Deere’s decision making because I have no knowledge of it, unlike the CEO above.  I’m calling attention to the issues that are swirling around us and a continued ignorance of consumers and many corporations. As digital business rises more failures will mount until understanding and decision making improves across the board.

Accepting risk is always a legitimate business decision, but it is only defensible if it follows a serious consideration of the attendant risks. You can’t just stay willfully ignorant and say “we accepted the risk.”

Security by heroes doesn’t work anymore. “IT risk is business risk” is not just a platitude anymore. Business decision makers can’t remain disconnected from a proactive consideration of technology and privacy risks as they engage in digital business.

I applaud NPR for their stories and I hope to see others in the press keep after these issues.

Follow me on Twitter (@peproctor)


Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Thoughts on Security and Privacy Remain Doomed with the Rise of Digital Business

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.