Wanted: Global rating system for security

Computerworld - With corporate accounting practices under fire, are security practices next? The kindling may already be in the pit.

Data security remains largely undefined and unenforced across private industry. The result? Companies underinvest in security, and a steady stream of publicized security breaches keeps customers from trusting e-commerce.

What we need is an independent system that gives "triple-A" or "junk bond" ratings to companies' data security. The private sector needs a global rating system to let customers know whom to trust with their data.

We won't find this rating system in the world's privacy laws. Nearly every such law requires companies to impose their security standards on their suppliers -- but the laws don't detail what those standards should be. Europe, Canada and Australia require companies to deploy data security that is commensurate to the risk of data compromise, but they don't define what that means. Complying with these meaningless standards won't give companies what they need to win customer trust.

Likewise, the largest companies are doing a lousy job of conveying the value of data security. Only 29 of the Global 100 say anything in their online privacy statements about their data security. Just 13 claim to encrypt your data in transit, something you learn to do in Security 101. Most simply say they use "appropriate measures" to protect customer data, and there is even an emerging trend to add weasel words such as "but your data is never 100% safe." These tactics may be a good legal defense, but they won't build market confidence.

Governments and corporations struggle to talk about security because no one recognizes a common security language. The British Standards Institute's BS7799 code is so comprehensive a masterpiece that no one can afford to adopt it. The Visa Cardholder Information Security Program is more digestible, but it's not designed to communicate security value to the general public. Insurance companies, which have just started compiling risk tables for data security, are best positioned to fill this gap. What we need is a team from Visa, The St. Paul and Standard & Poor's to forge a security rating system that becomes as pervasive as the little padlocks on Web screens that indicate you're on an encrypted connection.

To become pervasive, we need these ratings built into the Platform for Privacy Preferences (P3P) now included in the latest version of Microsoft's Internet Explorer Web browser.

Why am I hung up on a rating system? Because it fixes a widespread market failure of imperfect information.

Boardrooms today have no way of knowing that a dollar invested in data security will generate even a dime of additional revenue. That's because there's no lingua franca for companies to tell customers they've done something extra to secure their data.