In the wake of high-profile data breaches at Target and other major retailers, security was top-of-mind at this year's HITEC. At the opening keynote session, however, former Google CIO Douglas Merrill (pictured) emphasized the need to balance data security with the ability to win at a business' objectives.
"People are writing checks based on fear," Merrill said, citing statistics that showed 80 percent of CEOs believe they have been hacked in the last 12 months, when in fact, "the real number should be in the single digits."
Much of the talk revolved around the strong incentives to innovate the face of these companies in today's economy. Of the 100 companies on the Fortune 100 list in 1990, two-thirds had disappeared from the list by 2010, Merrill said. Even accounting for companies that had dropped due to name changes or mergers, the message was clear: companies that fail to adapt to a changing landscape do not last long.
How can companies keep up? Merrill illustrated with the stories of two brands and the different ways in which they engaged with their customers.
The first vignette came from his time at the record label EMI, at a time when the music industry faced significant challenges. Rather than taking a look at the music, the industry put the blame on music pirates, and decided to sue individuals for pirating music.
"This is like selling soap by throwing dirt on your customers," Merrill said.
During his time at EMI, a lawsuit against an individual pirate might average a payout of $7,500 - at an average cost of $25,000 per lawsuit. But did the lawsuits deter piracy?
Merrill decided to try an experiment. He went to Limewire, and cross-referenced the top 100 sharers on Limewire with the top 100 music buyers on iTunes. There was significant overlap between the new lists because, as Merrill discovered, users were using Limewire as a means to try out individual tracks before buying.
"Limewire was essentially paying us to be a marketing channel - and we sued them out of existence!" Merrill said.
At the same time, listening to customers too carefully had its own pitfalls. During his time at Google, a focus group indicated that they would like the search engine to display 20 results on its first page, rather than 10. However, when Google tested the change, search traffic dropped by 5 percent, because displaying the extra results doubled the time it took to return a search. Though they did not realize it, customers valued speed over the extra results.
How do these two stories relate to data security? Both rely on the collection of user data in order to learn more about a business' customers. There are generally two main obstacles to collecting this data, Merrill said: information security people and lawyers. Information security professionals want to minimize the amount of data stored to reduce risk, and lawyers worry about running afoul of privacy regulations.
"When building an information security function, there are two important things to understand," Merrill said. "It's important to have a theory of security, but at the same time you have to have the constructive power of pragmatism. You have to care about getting things done."
It was in this light that Merrill turned to the Target data breach. "It's arguably the largest security breach of all time," Merrill said. "But really, what was the impact?"
Merrill's assessment of the impact downplayed the severity of the event which, according to a New York Times analysis, led to a 40 percent decline in the company's profit in the fourth quarter of 2013 versus the same period the prior year.
"Almost no one had fraudulent charges that couldn't be explained, and the stock went down by one percent the day the CEO got fired," Merrill said. "It was humiliatingly bad, but it didn't matter. I'm not saying security is unimportant, I'm saying that it is done incorrectly. All you care about is winning."
Stay tuned to www.hotelmanagement.net for our continued on-location coverage of this year's HITEC, and follow us on Twitter @HotelMgmtNet for our live-tweets of this year's keynote presentations. We'll be covering the next keynote, "The Collaborative Economy," 8:30 am PDT / 11:30 am EDT.