By: Drew Sorrell
Amidst the coronavirus pandemic, remote meetings have become “the new normal,” with Zoom, seemingly overnight, becoming the platform of choice. Zoom’s success is attributable to the fact that “it just works.” Of course, the double-edged sword of success is the attention it attracts.
Earlier this year, Zoom’s stock price rose while most other stocks fell in value. Now Zoom is being sued in two shareholder class actions, both on the basis of Zoom’s handling—or mishandling—of security. Regulators and politicians are also said to be looking into Zoom’s security (and inherent privacy) flaws.
Zoom’s CEO Eric Yuan apologized, essentially to the world, and announced that the company will pause on new feature development in favor of enhancing security. I previously wrote about some of those security issues here.
Whether it be Zoom, Facebook, or any other company that comes under scrutiny for privacy or security issues, you’ll notice the headlines never read “Zoom’s director of product development apologizes” or “Zoom’s chief information officer testifies before Congress.” Yet, all too often the C-suite attempts to “delegate and forget” the responsibility for security to the IT Department or treats it as a “problem for later” rather than a design problem at the outset. Under this corporate strategy, IT’s assignment often comes with a mandate to reduce spend and a lack of authority to impact business operations. This is not just the wrong approach, it is essentially executive malpractice, as demonstrated by the previously mentioned shareholder suits and regulatory inquiries.
What to do? Simple. Security is now a strategic issue for your company. You appoint a head of security, and instead of making them a third-tier check-box, you give them a full seat at the table, along with the invitation and the obligation to speak up when security (and privacy) is implicated in business operations.
Security must become cultural and a strategic initiative at every company, public and private, small and large. I say this with the backing of the California Consumer Privacy Act, the General Data Protection Regulation, the Federal Trade Commission Act, every states’ data breach notification law, the Plaintiff’s Bar and all of the other rules and laws that are in development which are only going to tighten security and demand increased privacy.
From a marketing and crisis communications perspective, having to address security issues is also not good for business. In that sense, WebEx, Microsoft Teams, GoToMeeting, Skype and FaceTime got lucky vis-à-vis Zoom
If you do end up suffering a breach, you’ll be able to point to all the things you are doing to demonstrate how seriously you took the issue of security. No security is perfect—it is an ongoing iterative process—but the law does not demand perfection. Rather, the law demands companies be reasonable and that can be accomplished one step at time.