Friday, June 2, 2017

Ubiquitous Software Trend Requires Change in Software Security Incentive Structure (Blog #2)

One of the key global trends highlighted in several of the articles this week is the increasingly ubiquitous presence of software in our lives. From big data and advanced analytics, to embedded sensors and the Internet of Things, software is increasingly influential in the interactions we have with the world around us.  The May 2013 McKinsey Quarterly article, “IT-enabled business trends for the decade ahead” by Bughin, Chui and Manyika noted that one of the strategic implications for business leaders responding to this trend is the need to focus on data security. As customer’s information proliferates throughout databases, sensors, and things, the thinking is that data security will become a core customer expectation that could severely damage a business’s reputation if not met.

Thus far, in 2017, there is ample evidence to suggest that this particular strategic implication has not yet played out as envisioned. While the amount of data being managed by businesses has certainly increased at astonishing rates, so too have preventable data breaches brought on by known software security flaws and poor basic cyber security practices. And while the data breaches have already impacted literally billions of customers, there has been very little negative impact to businesses – at least as measured by their stock prices.

In a Harvard Business Review article, “Why Data Breaches Don’t Hurt Stock Prices,” dated March 31, 2015, Elena Kvochko and Rajiv Pant detail some recent examples. The Target data breach of 2013 was the biggest cyber attacks on a major retailer in history, affecting over 70 million customers. While Target’s stock dipped 10% in the immediate aftermath, within a few months, the stock price recovered to one of the highest regains in five years. Today, this data breach seems like a distant memory and many of those affected by the breach continue to shop there. Home Depot (2014), Sony (2011), Sears (2014), JP Morgan Chase (2014) all had similar astonishing rebounds in stock price very shortly after data breaches affecting millions of customer’s sensitive information. (Source:

In my view, at least part of this paradox stems from the lack of incentives for businesses to build security into software from the outset. Customers have come to accept that the software products they purchase are going to be rife with security flaws and bugs that will be patched throughout the product lifecycle. Software vendors favor pushing (insecure) products to market over additional security testing, code reviews, etc., largely because customers (and shareholders) have accepted this model and the resulting data breaches as an inevitable cost of doing business. One way to shape the future of this industry and correct this incentive structure would be for regulators to change the legal/regulatory landscape by defining software security standards and data breach liability laws such that it would increase the bargaining power of buyers and inflict more costs on businesses for deploying poorly secured software.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.