Competitive advantage that phrase any management consultant is familiar with. When working with clients you seek to identify what makes your client better than their peers. It can be tough at times for some organizations to find their unique position in the market but thanks to changing conditions, you may have an opportunity to help clients out in new ways. The emerging area of competitive advantage in the last decade has been cyber security. At first, in the early 2000s, cyber security was not really on anyone’s mind except governments globally. However as we have seen since 2010 massive data breaches have been impacting the private sector. The most recent data breaches in 2017 have been the largest on record. When Equifax got breached there was no process to handle the breach of such a central institution in society. The amount of attention from the press this data breach received seems to have become a massive wakeup call to the private sector. At this moment several stakeholders are demanding that strong cyber security be the default with organizations, however this is a tough demand for many to meet. Those organizations who do demonstrate how secure they are will reap the benefits in today’s marketplace. Cyber security is an issue across all industries, so you certainly have your work cut out for you.
Cyber Security Demand Rising
As alluded to above, cyber security events over the last decade has increased the demand for cyber security globally. Additionally the general shift in business models has also increased the need for better cyber security. As the information age has continued forward we have seen more products become long lasting services. Instead of a transaction products have become platforms for digital service subscriptions. Due to this change product lifecycles are much longer, and so to are the relationships with customers. Keeping customer data secure has become a top priority for businesses. However despite the demand many organizations seem lost as to how to approach cyber security, often placing all the responsibility on their IT department.
Shareholders are increasing their pressure against organizations who fail to implement enough cyber security measures. Failing to ensure cyber security is considered a breach of fiduciary duty according to a few legal experts and some shareholders. This has lead to the Board of Directors often coming down hard on the C-Suite to increase an organizations cyber security standing. In fact the National Association of Corporate Directors has released a guide to cyber-risk for board directors. Pressure is coming from all around for organizations to get their cyber security act together. It would not be surprising to see a rise of startups requiring increased cyber security in order to gain their next round of funding.
How Cyber Security Translates to Competitive Advantage
How well are organizations optimizing their resources for alignment with the cyber security opportunities in the market? There are plenty of organizations across any sector of the economy which are failing at cyber security due to negligence or just outright dismissal of its importance. What if by developing better cyber security management practices your client’s organization could attract more investment, savings, consumer confidence, or brand equity. Thankfully cyber security does improve a lot for organizations, because cyber security is an infrastructure challenge. If cyber security is tackled in a comprehensive manner then external stakeholders will take notice. While working with clients to improve their strategic fit, make sure you are helping them to understand their cyber security position relative to their peers and help them to improve it. Remember in the context of competitive advantage, cyber security is a strategic asset.
The key link between cyber security and competitive advantage is trust. If people and cannot trust that their data will be safe with your clients then they will not trust your clients. Trust is expressed by taking all necessary steps to ensure data is secure. This requires that you apply a few core tenets into your clients’ products, operations, and organization. Those tenets are: prevention, detection, and response.
The goal of prevention is to stop insider threats before they become a problem. Under prevention you want to ensure that clients are on top of their access controls, permissions, risk assessment, security policies, and employee training.
The goal of detection is to identify when a data breach happens and managing who gets notified. Thanks to advances in security technology detection notifications can be sent out based on the severity of the breach.
Lastly, response is how a client responds to a threat. Reponse is a task that must be organized by management and should answer how operations will continue, who needs to be notified of the breach, public relations, vendors to contact, agencies to contact, and many more. Without a proper response you have the nightmare that was the Equifax data breach response.
Working with Clients
You’ll be working with clients on three levels when it comes to cyber security and each level will involve a different aspect of security. Products for example will be the most technical level of security. Operations and organization are two other levels that usually are more dependent on good management than programming skills.
Products: Security by Design
This is the most technical level you’ll be working on a client with but it is here that you can help a client demonstrate safety to consumers. Security here would be mainly with digital products or digital aspects to products (IoT products). Here your focus should be around guiding the client through the security by design principles. What often happens in product development is that if security is even considered then it is an afterthought. The goal is to ensure security is considered and made another requirement during the product development process. The three pillars of security by design are: confidentiality, integrity, and availability. Confidentiality and integrity for example could be expressed by encryption of data at rest and data in transit. Such practices would put any client who works with IoT products leagues above the competition who does not take security seriously.
Operations: Productivity and Security
This level is more about process management and improvement. The aspect here to manage are client expectations about productivity and security. Many managers assume that by integrating security they will negatively impact productivity, but that simply is not true. Tom Puthiyamadam, Global Digital Services Leader of PwC has stated before: “Leading companies are integrating cyber security, privacy and digital ethics from the outset. And that enables them to better engage with existing customers and attract new ones. Many also see efficiencies in operations, business processes and IT investments.” Here you want to work with clients to use a framework. The most well known in the United States is the NIST framework. The goal is to get clients to identify data assets, put in place protective processes and measures, monitoring assets, detect insider threats, respond to security incidents, and recover from the breach. Such a comprehensive framework will take time to integrate which works to your advantage as a consultant. You can even be more creative and try to build on top of the framework for an offering exclusive to your firm. Your principle goal when working with processes is to make sure process changes and operational changes do not reduce productivity.
Organization: Continuity and Integration
Throughout the organization you will need to ensure there are a few things in place for a comprehensive security integration. The first thing that needs to be in place is a continuity plan, which addresses the question of how your client’s organization continue to operate in the event of a data breach or ransomware attack. FedEx faced this crisis during the NotPetya outbreak and had to resort to paper processing in order to continue business globally. Additionally, companies need to control any endpoints/devices that come into contact with their network. In many companies there is typically a practice of bring your own device, but this opens a company up to a lot of risk. If an employee does bring in their own device make sure the security software your client needs is on it when they come online to the network. Lastly and most importantly, make sure the workforce is educated about cyber threats and security practices they should be doing. If the workforce is not aware of how advanced threats are today, like phishing emails, then they are more likely to become a negligent insider threat and may cause a data breach. Help your clients educate employees, you can do this through workshops or working with them to develop a recurring program.
Cyber security has tons of benefits in the marketplace if a company decides to take it seriously. You can ensure your clients reap the benefits of being the most secure organizations in their industry. As the internet of things continues to grow, business models become more long term, and security threats evolve your clients need to be better prepared. You can help them reduce potential loses, prevent data breaches, and keep a fair amount of the population secure. Click below to learn more about Teramind.