A recent article by Michael Porter and Mark Kramer, Creating Shared Value (Harvard Business Review, January-February 2011) makes the point that a focus on "shared value" can help give birth to a new capitalism and move business beyond its short term profit focus. Shared Value, as defined by Professor Porter is not giving money away, but rather is a focus on goals that will both increase profits and improve the business and social environment in which a firm operates.
The practice of information security can contribute to creating shared value. That is, if business is able to move away from the regulatory response approach that most firms use now. Many businesses operate with a strategy of doing as little as possible to protect information, unless regulators or compliance dictates otherwise. As Porter discusses this response to regulation is not just the fault of business. If government prescribes detailed regulations then business sees that as a cost to be avoided. Porter's suggestion regarding regulation is guidelines created by government, around which companies then create performance standards. Government would be responsible for "efficient and timely" reporting of results which could then be audited.
To me this is a good approach which could help ensure that better information security will become a shared value benefit. Keeping consumer information safe is clearly a social benefit, as one example. What we have now is the opposite. For health related information we have detailed standards on how to secure the information, but almost no reporting and monitoring of results. The result is a reported 1M+ medical records breached in any given six month period. What happened to the Hippocratic Oath?
Super informative wiritng; keep it up.