Cyber security: Opportunity, not just compliance
Doing something out of fear misses the point, says Steve Howe at Amethyst Risk Management
Fear typically only makes companies do the minimum to comply, but every cyber resilience measure put in place shouldn’t just be about compliance. If it is, I would suggest that you are taking the wrong approach.
When you are advised on implementing a cyber solution to appease compliance concerns, I call that the ‘regulator sale’. You can work out if you have been subject to a ‘regulator sale’ by asking yourself whether you would have purchased the solution if there was no threat of regulator retribution.
Instead of provoking fear, we should be looking at this as a business opportunity to motivate improvement.
I believe it’s the job of the cyber professionals and the regulators to explain the business advantages of cyber. They should make a business case for cyber that doesn’t rely on the cost of having to pay a fine if you don’t do anything. Fear doesn’t guide someone’s decision to buy a car or go on holiday so there is something else at work.
Has anyone grasped this idea?
Well perhaps Apple have. They won’t release someone’s data lightly and will even go to court to defend it. What’s their motivation? Perhaps they believe that they will attract more customers and thus make more money by appearing to protect their customers’ personal data at extreme cost. Given the under 35s’ distrust of anyone in authority thanks to the 2008 financial crash this appears to be a smart strategy.
So there are companies making a strong stance on privacy and security as business differentiators.
Cyber can provide you with a USP. If you can see a clear road ahead, stop and build a wall behind you that your competitors will run into as you pull away. The bricks in that wall can be really good cyber resilience, your total commitment to protect your customer’s data and their privacy, and your promise that you won’t abuse our position of trust by selling it on to third parties. Then cyber becomes an advantage – your measures are something to inform your customer base about and you can demonstrate that you are looking after their data.
Data protection is already becoming a necessity, so make it a virtue. The regulator will be satisfied as you’ve gone beyond the minimum required for compliance, and your customers will be happy as they know their information and, by extension, themselves are important to your business.
Your customers have a choice. Help them choose you by offering something more than the minimum – it might just become a business strategy.
Next post: Three productivity gaps and a human lag
Previous post: What's the cost of a cyber attack?