How to Take Security from Afterthought to Advantage
Is security just an afterthought? Not according to Infonetics Principal Analyst Diane Myers, who says it’s the #1 criterion for buyers of cloud communications. The fact that security is the most important concern among enterprise IT decision-makers is strong evidence that companies that do a good job at security could find themselves at a competitive advantage over their less-secure rivals. But how can you get your company to really focus on doing security right—not just because it’s the right thing to do, but because it’s financially sound?
It’s easy to see why so many CIOs and other senior managers say that security is their first concern. It’s not hard to think of dozens of organizations that have suffered security breaches—Target, Home Depot, the IRS, Anthem, CareFirst—and dozens more. We all know of companies that have taken huge hits, in terms of reputation, fines and financial losses.
Address Security Problems to Compete Better
But few companies stop to think that just doing a better job at addressing security problems can be a competitive advantage for companies that do things right. Organizations that sidestep such problems are often better run in other ways—because they’ve evaluated their processes and thought through how they can improve them. They also avoid the fines, wasted time, and loss of reputation that their less security conscious peers suffer.
And organizations that think of security and compliance as more than a useless formality avoid the time wasted later, when the impacts of a lot of bad decisions and looking the other way are so much worse because they have festered for years.
How to Get Upper Management Buy-in
Security and compliance directives rarely work unless they come from the top, so you have to get upper management to 1) make a commitment and 2) understand that it will take resources and reinforcement of good behavior—and maybe even exposure of bad practices—to make the commitment “stick.”
The key to this is quantifying the negative financial effects of a breach, and the positive effects of being an industry leader in the field, or of providing extra-secure products or services. In the case of 8x8, for example, we were able to turn our compliance with various requirements such as HIPAA, FISMA, PCI-DSS and Safe Harbor laws into an advantage in the cloud unified communications arena. None of our direct competitors advertise that they comply with all of those objectives, which is understandable, because it requires a lot of work—but it has paid off for 8x8. We can now use our compliance as a competitive feature.
Where to Start
Schedule a meeting with top decision-makers, and be ready to:
- Summarize any recent security incidents—at your company or companies like yours—and talk about the potential for losses from such incidents in the future. You need not have actually suffered a loss—you can talk about what might have happened if circumstances had been a little different.
- Discuss the impact, root cause and economic benefit of avoiding recent incidents.
- Present a short, high-level summary of your plan to raise the level of awareness of security, compliance and their value to the company.
- Talk about what reasonable goals might be—both for the overall company and on a department-by-department basis. Department directors are usually more willing to support goals that align with the things they’re already being evaluated on. For example, an IT goal might be to reduce the number of successful phishing attacks, or reduce the number of unsecured desktops at the company. A customer service department might have goals concerning the detection of social engineering attacks by people impersonating legitimate customers. (Incidentally, a good VoIP phone system or contact center software can help to achieve this goal, since they integrate with CRM systems such as NetSuite and Salesforce and match the incoming phone number, automatically “popping” previous contact information to the phone or screen.)
- Talk about quantifiable training objectives. Most security and compliance standards—including Sarbanes-Oxley, HIPAA, FISMA and the EU Data Protection Directive—have explicit training requirements. Present a roadmap explaining how you propose to get there.
- Paint a picture of what success looks like—and how you might leverage a more secure, compliant company as a business improvement. Could you use improved security in ad campaigns? Could you reduce losses and improve the bottom line? Can you use your plan to cut costs?
You CAN Do This
Most people who go in prepared—and can talk about security and compliance’s effect on the bottom line—are able to get top management to endorse their plans. But that’s just the beginning. In an upcoming blog, we’ll talk about a woefully underused secret to help get everyone in your organization to take security seriously.