Shifting the value perception
All of the big breaches over the last few years have had three things in common. Home Depot, Yahoo, Target, Adobe and even Equifax had good technologies in place, smart people, and responsive processes yet all suffered extensive breaches worth tens and hundreds of millions of dollars. In the case of Yahoo, the breach stripped $350 million of valuation from the Verizon deal and in the case of Equifax, their breach may well signal the end of that company altogether.
Most cybersecurity professionals still explain the value of data security to the business only in terms of qualitative risk reduction, loss prevention, and regulatory compliance. The problem with this narrative is that it fails to connect to the single most important goal of most companies — driving revenue, profit and growth. As a result, we witness a further erosion of the communication bridge between the CISO and the Board.
At a time when the biggest source of competitive differentiation comes from how businesses exploit digital technologies to create new value for customers, increase their operational agility to serve their existing customers, and form digital ecosystems that generate entirely new revenue streams, data security and privacy represent much more opportunity than what is usually assigned to cost centers like cybersecurity.
Cybersecurity as a Profit Center – Who Knew?
If you suggested to the average board member that there was revenue and customer opportunity in cybersecurity, s/he would think you were crazy. Some of this disconnect stems from a communications gap addressing the universal business language of positive value instead of focusing on negative elements.
We in the cybersecurity community would provide a much more effective service to our collective businesses by helping our management focus on the tangible business benefits of a rigorous cybersecurity defense program instead of continuously focusing on the threats and the cost. We should explain how the right programs and the right risk management approaches are tied to revenue growth and market differentiation. All of the non-stop narrative about needing more money and increasing cybersecurity budgets and apocalypse next is not getting us anywhere.
But leveraging the apocalypse in the market place by explaining your approach to cybersecurity defense and what it means for your customers can go a long way toward winning new business and keeping the customers you already have.
Here are just five simple outward facing benefits from a well-designed cybersecurity program:
1. You can build trusted customer relationships that drive royalty and retention
The relentless parade of data breaches and privacy violations have created a unique opportunity for the organizations left unscathed. The fact that you have avoided a breach provides newly increased assurance and another additional reason to do business and to continue doing business with you.
We are always seeking new stories to make our existing customers feel more secure and to enable our sales teams to provide prospects with new and differentiated benefits that will compel them to come aboard. Enhanced cybersecurity can be a customer gold mine.
“New customers are the Holy Grail”
2. You can redefine and elevate data security and privacy as a corporate social responsibility.
Behind every stolen customer record is a consumer victim who must deal with the hassles around reconstructing their credit and often their entire identities. The Equifax breach is the poster child.
This problem alone should make data protection an ethical and moral imperative.
Those who see it this way and craft compelling stories around their cybersecurity and privacy efforts will win customer loyalty and increase their base. Companies like Nestle, Apple and IBM have created data privacy into a corporate social responsibility (CSR) program.
In 2018, almost 50% of the Fortune 500 began CSR reporting that included information about security controls to enforce protection and fair use of personal data, intellectual property, and other sensitive information. They didn’t do this because they were looking for additional administrative management issues to address. They did it out of a sober cost/benefit analysis that concluded data privacy in CSR was a winner with their customer base.
We all know how expensive it is to bring a new customer on board. Let’s do the math on how much it costs to lose one. Equifax may pay the ultimate price when they cease to exist. The analytics are obvious and will quickly demonstrate that implementing a similar policy makes a ton of sense.
3. It will allow you to create premium pricing or offer unique dedicated privacy products.
We all know there are explicit and implicit premiums. One example is AT&T’s explicit shift charge of $29 a month to opt out of online activity tracking for targeted ads. Implicit premiums can be translated from charges for devices with built-in advanced security.
There is a growing market for solutions that enable consumers to protect their online privacy, and financial institutions can decide whether to include freemium privacy controls or add them on optionally to create entirely new revenue streams.
Either way, the result is new revenue and customer growth; rather than only the increased cost for cybersecurity programs.
4. You will be able to capitalize on risk.
From workforce mobility to the growing opportunities in the Internet of things to smart data analytics, all companies have plenty of ways to carve out new opportunities to help drive growth. But this vision of connected intelligent sensors requires a new perspective on the threats.
Using Smart Data to better serve customers with new and advanced security measures can create an improved and pleasant shopping experience but only if it is accompanied with the specific and unique assurances that your security is the best security. Amazon figured that one out a while ago and their resulting growth has been breath-taking.
Companies who fail to invest properly and can’t seize marketing leverage from the results are doomed to spend countless dollars and human capital digging out from holes like those familiar to Equifax, Marriott, Target, Neiman, Yahoo, Facebook, Google, Home Depot, Ashley-Madison, Hilton, Hyatt, etc. The list is long and distinguished.
5. You can shore-up and protect future revenue streams.
Research and development capital, corporate secrets, private executive communications and intellectual property assets hold the key to future growth and direction for every company. Protecting not just the secret sauce but words written in haste are equally critical to a company’s trajectory.
Safeguarding this data against cyber espionage, theft, and careless compromise should be valued on equal footing with corporate tax strategies, executive compensation plans, stock option management, litigation advisory services, physical safety programs, new product development and competitive market analysis. When was the last time you cut those budgets? Oh, never?
The SONY hack had a bigger long-term impact on operating results owing to the departure of the management team because of a few misguided emails than all of the crazy market noise around a single movie that was probably not going to make any money anyway. Ask Scott Rudin and Amy Pascal what they think about email security.
Privacy abuses bring unwanted scrutiny
The FBI estimates that economic espionage costs US businesses billions of dollars each year. The numbers will continue to grow and the impact to your business could be dramatic. Why not focus on making headlines for advances in data privacy rather than what your CEO says in his email?
Data is the lifeblood of today’s digital businesses. Hacked customer data can erase millions in profits, stolen IP can destroy competitive advantage, and unnecessary privacy abuses can bring unwanted scrutiny, class-action lawsuits and fines from regulators while damaging reputations.
The hackers and bad guys are only going to get better at cyber-attacks. The threat vectors are only going to expand. Today it’s data theft. Tomorrow it’s going to be data manipulation. Losing 100,000 customer records will look like child’s play against 100,000 manipulated employee savings portfolios. And, no … you don’t want to be that guy.
There is tremendous “profit” opportunity in cybersecurity if positioned correctly.
We can seize it and start to assert our expertise by positioning data security and privacy capabilities as competitive differentiators and help build a new kind of customer relationship that is increasingly profitable and secure for both.
Or, we can continue to view cybersecurity as an expensive cost center about which we understand little and over which we have even less control.
The choice seems obvious to me.