December 5, 2019
December 5, 2019
In 1959, Volvo introduced the auto industry’s first three-point seatbelts.
In 1982, after five people in the Chicago area died from ingesting poison-laced Tylenol capsules, Johnson & Johnson pioneered the field of tamper-resistant packaging.
In 2019, at a time when legislators and regulators are putting Big Tech and privacy under a microscope, Apple is advocating that privacy is a human right. In fact, the company has included privacy as one of the core functions of its corporate social responsibility program, along with accessibility, education, environment, inclusion and diversity, and supplier responsibility.
What do these three events have in common? The first two were tipping points for safety and security becoming competitive advantages in a specific industry, and the third could very well be the same type of tipping point—not just in the tech sphere, but across all industries.
For most of this century, many organizations have viewed cybersecurity as a “necessary evil”—an expensive and mysterious technology play yielding mixed results. Additionally, the predicted severe reputational damage caused by data breaches never really materialized in the first decade and a half, with a 2015 Harvard Business Review article stating that data breaches did not cause customers to leave or exact long-term stock consequences.
The 2015 date on that article is meaningful because it’s right before the European Parliament adopted the General Data Protection Regulation (GDPR) and before the Petya and NotPetya attacks made “ransomware” a household name. GDPR, a regulation that could take up to 4 percent of company revenue in the event of data misuse or cyber breaches, and cyberattacks that could shut down business operations, were risk game-changers for companies worldwide. Suddenly, cybersecurity and customer privacy became issues of material importance that could impair corporate financial performance. In many boardrooms, this has raised cyber risk to the level of other traditional corporate risks, such as product recalls and litigation.
Additionally, with privacy becoming a headline issue both overseas with the GDPR rollout and at home with various Big Tech congressional hearings in Washington, DC, more and more consumers are becoming aware of how companies are “playing it fast and loose” with their personal data.
Put this all together, and today looks a lot like 1959 in the auto industry and 1982 in consumer packaged goods. In 1959 Volvo made driver safety a human right—a concept that became widely accepted six years later when Ralph Nader published his ground-breaking book, Unsafe at Any Speed, which detailed the atrocious mortality rate among drivers of cars lacking seatbelts and other safety features. With that book, Volvo’s pre-existing commitment to driver safety became a long-standing competitive advantage. Similarly, Johnson & Johnson’s tamper-resistant packaging turned a tragedy into a multi-decade reputation for product safety that continues today. And now, we see Apple going “all in” on privacy as a way to differentiate itself from other Big Tech players. Since every company today is a de facto “tech company,” with digital operations dominating the economic landscape, virtually all organizations have the opportunity to create similar differentiation by making privacy a human right.
Here are some considerations for boards when strategizing how to place their companies at the crux of this movement.
The first step to doing this, obviously, is for boards to encourage and perhaps require company management to invest in the systems and processes that actually deliver superior security and privacy. This can create an operational competitive advantage by enabling organizations to later use new technology opportunities like digital transformation, the cloud, and the Internet of Things to open new revenue streams and build stronger customer relationships, without introducing excessive risk into the organization.
Once the board pushes management to determine what new technology most aligns with their company’s business strategy and their customers’ future needs, management can then proactively work to ensure appropriate security and privacy support is in place before proceeding with planned digital transformation. For example, when financial institutions roll out mobile apps that let customers manage their finances from their phones, these companies create tremendous business value both operationally and in terms of customer satisfaction. However, rolling out an app without sufficient penetration testing or without backend protection using robust identity management and other security layers can create an on-ramp for attackers.
Institutions that adopt sound security strategies, services, and technologies stand to gain a competitive advantage moving forward by being able to quickly roll out low-risk next-generation applications and systems. Those that roll out new systems and apps without these fundamental elements in place stand to suffer damaging consequences from system outages, breaches, and customer frustration, while increasing the potential for heavy fines and litigation. Proactively focusing on data privacy and security early on, rather than trying to retrofit or wait until a problem arises, is a good way to both secure company and customer assets, prepare for the future, and prevent erosion of brand trust.
Security will become a determining factor in the time-to-market of digital transformation and other next-generation initiatives. And, these initiatives will play a major role in redefining brands. The concept of “first movers” will no longer be solely a function of speed; rather, it will be a function of speed and sustainability. Those that can deploy new systems and applications that perform as designed, and protect company and customer data, stand to become the long-term “safe” brands of the digital age. Those that are fast to market but prone to breach headlines will be like shooting stars—initially bright but ultimately fizzling out.
It is still relatively rare to see companies overtly promote their cybersecurity and privacy strategies. However, when an iconic company like Apple makes a significant marketing push around privacy, it’s time for other companies to sit up and pay attention because the window of opportunity for gaining competitive differentiation is open—but it won’t be for long.
Boards should recognize this and serve as the catalyst for collaboration between business, marketing, and cybersecurity teams to seize this opportunity, and they should do this soon. The first movers reap the rewards and those playing “catch up” are relegated to “me, too” status. To this day, Volvo is known for safety even though other car brands have become just as safe, and Johnson & Johnson gets credit for pioneering tamper-resistant packaging as part of arguably the best crisis-response campaign in business history, even though brands across any number of consumer-packaged goods sectors fell in line with Johnson & Johnson shortly thereafter.
It stands to reason, then, that companies that make a bold early move to promote their dedication to customer privacy and security stand to reap years, if not decades, of competitive differentiation. But these companies need boards who support technological change and CISOs in their efforts to modernize. It will be interesting to see who follows Apple down this path.
Dustin Owens is vice president and general manager, Risk and Compliance Advisory, at Optiv, a cybersecurity company that enables its clients to build a sustainable, risk-centric foundation for implementing proactive and measurable security programs.