Thursday, April 16, 2009

Privacy & Security as a competitive advantage

Thanks to the great people at SC Magazine for publishing this piece of mine.
(http://www.scmagazineus.com/The-privacy-security-advantage/article/130470/)

Here is the longer unabriged version:

Using privacy & security as a competitive advantage

There is an old axiom in marketing circles that it costs significantly more money to acquire new customers than to retain and service your old ones. Since the business environment has slowed for now, showing additional ‘value added’ services rather than simply a lower price, for example, is critical for many companies higher up the value-chain that provide are providing a service. Clients should particularly value a competent privacy and security program implemented at its service providers since it will not ‘cost’ them anymore than they already pay for an expectation that their data/info is safe and secure.

Any company who has customers to be accountable to doing business during these days of dire financial times, should be required to look good and hard at what additional they can bring to its customers - besides the primary product or service it already provides. In addition to being a great marketing and selling opportunity, this introspective look for security and privacy ‘value’ can give companies a chance to leverage what they uncover as a differentiating factor – a competitive advantage.

A company with a solid, mature security and privacy program will be well advised to make this fact known to both its marketing and sales teams, and its customers. Privacy and security competence matters more than ever in this precarious financial environment. Rather than ‘distraction’ of making money hand over fist, the focus for many companies is now on keeping the existing customers satisfied, rather than only worrying about adding new ones to the fold.

How can an organization best position their privacy and security programs and oversight to be used as a competitive advantage? First, of course, you need to ensure that your privacy and security program is robust, well-tested, formally documented and meets or exceeds whatever legislation that your company is subject to or regulated against (Gramm-Leach-Bliley, HIPAA, etc). Aligning your programs against a standard like NIST or ISO 27001 is an excellent way to ensure that your programs minimally meet a design framework that is accepted and understood by your market or vertical.

It is critical to give your customers a point of reference about the validity of your programs so they easily translate the value into a currency they recognize. If your clients are banking institutions, for instance, it makes a lot of sense to develop your privacy and security programs around the Federal Financial Institutions Examination Council (FFIEC) standards since most banks, thrifts, savings & loan institutions and credit unions are regulated by entities that make up the FFIEC (OCC, OTS, FRB, FDIC, & NCUA). Doing this will make it easier for your banking clients to get their auditors or regulating agencies comfortable with using your firm as a service provider. Helping them successful navigate audits makes you a valuable partner. Your customers will really begin to derive value from well-designed and real-world tested programs when they realize that they can lessen their due diligence and oversight of your firm due to the extensive testing and thoroughness of your own internal activities.


Companies doing business in the US, especially in the financial and health care sectors, are already exposed to a litany of legislation, mandates and guidance that they are regulated and tested against quarter after quarter, year after year. Companies can realistically expect such federal and state legislation to only stricter, more onerous and more invasive. Most companies already either perform or have a 3rd party perform some kind of internal and/or external assessment. These activities could be everything from simple perimeter vulnerability scans to intrusive penetration tests on web-facing applications. If you have having these done, you should leverage the results (properly scrubbed of any confidential or proprietary information like IP addresses, of course) and provide your clients Executive summary-type versions of the reports to show that not only are you constantly evaluating the viability of your network, but you are having an independent third-party doing it for you. You should also take advantage of any other internal and external audits, assessments and oversights that you can reasonably share with external parties by crafting these documents, or summaries of them as a consumable for external parties. It has been my experience that clients, especially their security teams, really appreciate this effort.

Any attestation, especially an independent one, that your controls are in place and functioning properly gives clients and sense of comfort, and may even relieve them of either significantly overseeing you as a service provider – saving them time and money, or may at least minimize the intrusions of each and every client and their auditors tramping through your shop.

Another innovative way to deliver a competitive advantage today is in the realm of vendor management. This discipline is quickly becoming an increasingly high profile topic of discussion and interest between clients, customers and their service providers. The onus is on you to demonstrate oversight of your 3rd party service provider(s); you need to show especially robust oversight controls if the 3rd parties are perceived to be of higher risk, such as an overseas provider. If you are outsourcing some of the work your clients have turned over to you, those clients may ask “Why am I outsourcing to you if you in turn outsource?” Here is where you point out your management and oversight of the vendors and how you assume full accountability for the controls in place, as well as the robustness of those controls. This is where you also have the “value add” conversation and demonstrate why your clients placed their trust in you in the first place; it is a key selling point for your company to use to distinguish itself from competitors. This will resonate especially soundly with any clients that provide you access to or control over their sensitive customer data, proprietary or intellectual property.

Lastly, a final easy way to show privacy and security competence over competitors is in the area of oversight of employees and their access controls. This long-neglected, decidedly un-sexy discipline is now, like vendor management, starting to get the attention it deserves. Most studies of risk show that internal employees who already have access to the company network pose the biggest threat – the malicious insider. One of the best ways to show oversight and mitigation of this risk is with regular entitlement reviews. Nothing may prevent a trusted employee from one day going ‘rogue’ of course, but habitual review of appropriate access will minimize damage from people who no longer have a ‘need to know’ access to the critical and sensitive applications and data that may represent the lifeblood of your company.

Still need justification for your programs? The benefits of a competent privacy and security program are myriad and are more visible and tangible than ever. Don’t just analyze what it costs to administer your programs (FTE’s, software, etc) or even what the ROI may be (if you can even calculate it). The hard and soft costs associated with damage to a brand or reputation due to a breach or compromise maybe incalculable, and may make it very difficult or impossible to woo back former clients who left due to the breach, or worse, woo new clients into the fold. How’s that for justification?

No comments:

Post a Comment