I’ve often been asked what’s the business case for information security? Or, what actual evidence exists, rather than sales rhetoric or anecdotal evidence, that information security can deliver prosperity adding to an organisations or even nation states bottom line. Here’s one of my longest standing arguments.
Switzerland has one of the highest standards of living in the world. According to the IMF it has the 4th highest GDP per head, low government debt and one of the lowest unemployment rates in the EU. The population enjoys relatively high rates of disposable income, has access to public services and infrastructure, which are the envy of the world, and overall levels of prosperity, combined with good health, mean that the Swiss enjoy the highest life expectancy in the developed world. If global corporations are the new nation states, it stands to reason that nation states, which have prospered, as effectively as Switzerland, may have something to teach today’s business leaders. Who would have thought that the contribution of information security to prosperity, particularly the characteristic of confidentiality, would be one of them?
The Swiss brand is synonymous with banking. Swiss banking services, in turn, are synonymous with confidentiality or, some would call it, secrecy. In the language of the branding profession, confidentiality would be a brand value of both Switzerland and its banking sector.
The importance of confidentiality to individuals, businesses and even nation states has been recognised and capitalised upon by Switzerland and its banking sector. This happened long before the internet came into existence and cyber security become recognised as an issue. Rightly or wrongly, people and businesses, have had their reasons for ensuring the confidentiality of information relating to, amongst other things, their financial status. The benefit of this confidentiality has out weighed the premium associated with working with these institutions.
This is a risk based decision that mirrors the challenges people, business and nation states face today in the digital information economy. The process of risk assessment and management, are core to the information security professional and profession. Identifying what information you have and the risk and opportunities associated with this is fundamental to developing a strategy that supports and enables business whilst managing potential negative risks.
For the Swiss this has paid healthy dividends since the 18th century, and, arguably back into the middle ages. For many customers of the Swiss banking sector, both business and personal, it has influenced where much of the world’s tangible and intangible wealth is located.
“33%, or $6.7 trillion, of global funds invested offshore, i.e outside of their country of origin, can be found in Switzerland.”
Confidentiality has been recognised by the Swiss Banking Organisation as an “important part in an investor’s decision to deposit his/her assets in a Swiss bank.” This has enabled the sector to grow and contribute to national economic and social prosperity on an unprecedented level.
- 8.8% of GDP in 2011 was generated by Banking.
- 42.8 Billion Swiss Francs in 2012.
- Employs 136,000 = 5.6% of total national workforce.
The tax revenues generated have fuelled investment in public services and infrastructure. Businesses and individuals have invested significantly in Switzerland, this has led to greater demand for supporting services and products, which in turn has driven broader economic and social prosperity.
This success has not been left to chance. As with any effective information security strategy there is a clear objective, a well resourced plan for achieving this and commitment from the top. In this case:
A) The objective is to develop a brand synonymous with confidentiality to provide a competitive advantage in the global economy and drive social prosperity;
B) The resources have been made available to make the brand vision a reality;
C) The top is the Swiss government, not the Board of Directors, who see through the changes needed.
Whilst evidence of banking secrecy stems all the way back to the Middle Ages, the most obvious sign of Switzerland’s recognition of the importance of confidentiality and privacy, was when it enshrined these rights in Article 13 of the Swiss Federal Constitution. Think of this as the Board’s information security policy. The Banking sector then enshrined this specifically in Article 47 of the Federal Act on Banks and Savings Banks in 1934. You can think of this as a compliance or regulatory policy.
However, the existence of a policy, or reference to privacy in the constitution, doesn’t mean the benefits are immediately recognised. As important, as the policy or constitutional clause, is the effectiveness of its implementation, monitoring and enforcement. The enshrining of privacy into the Swiss Constitution required broad engagement across institutions responsible for the creation of laws, law enforcement, industry regulation and education for example. This was stakeholder engagement, and good overall governance, on a grand scale. However it has resulted in a level of cultural awareness which many now strive for in the digital society. Again when we replace these institutions with organisational department functions we can see that information security requires stakeholders, many of them with disparate interests, needing to understand “what’s in in for them” or to be driven, by the board, to implement the changes that are necessary.
So, in summary, the Swiss experience shows us that there is a business case for confidentiality. That this has brought economic and social prosperity to individuals, business and society as a whole. And, that the process of realising this prosperity, shares many traits with the measures that business must take to implement an effective strategy for managing information security risk.