Make cyber security a selling point, not the afterthought in your business model


By L. Keith Burkhardt, VP, Kraus-Anderson Insurance

Burkhardt_Keith_2015-med-225x300 Make cyber security a selling point, not the afterthought in your business model

Remember when a cup of coffee was ten cents? Me neither. But I do know that the free coffee at workplaces across America is not hurting the business at Starbucks one bit. That’s because the retail coffee shop industry has convinced its customers, those hundreds of millions of caffeine loyalists across the globe that the barista experience is worth it.

Now apply that train of thought to your own business. And think of your cyber security program as your barista.

Like latte foam art, cyber security is a beautiful, comforting and elevating enhancement; but what’s so much more, its success or failure can wholly make or take down a business.  In today’s digitally connected world, a proactive cyber risk management program is potentially one of the most powerful potential differentiators your business can offer; one that you should be not only building into your supply and delivery chain, but also leveraging in your sales and marketing efforts.

Entrepreneurs may see competing with larger, better-known brands as an uphill battle. But if you know how to connect in a secure cyber environment, you can turn that size differential to your advantage.

How? A startup is uniquely structured to market its advantages over the establish competitors, who may be bogged down managing legacy systems and customers service platform conversions and maintenance of related hardware systems.  The established company’s IT strategy may need to validate and stretch its security enhancements over multiple budget periods. Pricing such costs within their current product or servicing offerings can be cumbersome and present internal and/or external challenges.   As a startup, if you’re practicing good digital hygiene at the outset, you’ve got a lot to sell over the Goliath with a lot of baggage.

On the other hand, tending to your cyber infrastructure can be a great way to attract some Goliaths as customers. Large, portfolio-building clients from healthcare providers to health insurers and financial institutions are desperate for companies that can demonstrate they are cyber diligent and resilient.

“Start-ups who do cyber security right, and are cyber-resilient may actually have more flexibility and security than many of the Goliaths,” asserts Attorney Emily Duke, principal of CyberSmart Law.  “They can leverage the information security expertise of cloud-based infrastructure and software that weren’t available or prevalent five  years ago when the Goliaths built their in-house infrastructure.  So their ability to intelligently use the cloud can actually make their products and services more secure, scalable and flexible than their mature, large counterparts.”

Consider the supply chain of issues related to our digital connectivity- the smorgasbord of cyber security weaknesses we expose ourselves to as the price of doing business in the 21st century: Data sharing with clients, vendors, and suppliers; multiple business locations; data transfer, data storage and data disposal architectures. All of these offer opportunities for sophisticated and ever-evolving forms of cyber attacks. Not to mention the old low-tech standbys, like phishing and social engineering schemes.

A competitive business keeps that digital buffet as sanitized as possible, building cyber vigilant architecture into every component. Data mapping, data management and disposal processes, documentation and training practices, vendor management/procurement due diligence; and resources– all are addressed.

If you’re offering an innovative, useful product; do business responsibly; and can demonstrate a sound data infrastructure and an employee culture that avoids risky habits throughout the course of the sales process — you just may have a competitive advantage and make the sale.  Just make sure your pricing accounts for the costs cyber hygiene and resilience.

Avoid making the mistake of trying to make your current pricing cover the cost of your cyber security. Instead, start on the front end and build that investment into your pricing. Review the cost of a breach in terms of legal advice, defense, third-party financial loss or damage, notification to affected parties, ID theft monitoring, call center, regulatory fines & penalties, forensic investigation, business interruption, damage to systems and equipment, court appearance costs, PR expenses, reputational harm, theft of personal assets, money, financial instruments. Understand the value of your investment and insure it! Remember: A hammer in the toolbox when you have to pound nails won’t help you. You need to have it in your hand.

CIO’s and CSO’s, you also have a big part to play in building cyber security into the company’s digital architecture. Beyond needing to account for and demonstrate cyber security, you also need to be involved in the pricing model and how it is communicated through marketing strategy. After all, you may be among the best-equipped members of the company to assist your business development team in communicating the value of the infrastructure they are offering. Engage in the business model and strategy. Give CEO’s the confidence to be engaged in your models, bake cyber security into the product cost, and work it into with your sales force culture.  Leading-edge questions you should be considering include:

#1:  Is your Cyber security and cyber response expenses “baked” into your Companies pricing of services or cost of goods business model? Have you engaged your CIO’s/ CSO’s and leadership in communicating the value it offers?  Can you demonstrate how your Cyber Security/Resilience activities offer a competitive advantage and differentiator compared to other players in your space?

#2: In a Cyber Security Crisis what further “pre event” engagement of your Technology leadership team is required for them to be the successful quarterback and have a full understanding of who/when within the company needs to be brought into a cyber crisis situation?  As an example, does it makes sense that a CIO’s or CSO’s are involved in understanding how to access and utilize the internal and external financial and legal resources necessary to survive a breach?  Does the team understand the tools such as insurance or access to external legal resources to stay abreast of current developments that may impact Cyber Security?

#3:  How does your Entities Culture adapt and support your answers to the above questions?

If your cyber security program is still hiding in the IT closet, it’s time to bring it out and make it a proud part of the experience of doing business with your company. Remember, it’s your barista.