Until recently, you didn't often meet executives who got excited about investing in cyber security. They did it because they had to, to reduce risk. There was almost no upside when cyber security worked well, and significant negative attention when it didn't.
But now security investments can also be used to attract new customers and build new business, as companies prospering in the digital economy have shown. And that has turned traditional business thinking about cyber security on its head.
Typical cyber security discussions used to be about locking down data access, keeping out hackers, and protecting against a myriad of threats. But to be part of the digital/mobile/data revolution, you also need to invite people "into the store" to access and share information.
That means unlocking information to become more intimate with customers – getting to know customers, digitally, to understand their needs to serve them better. You must also respect their wishes – managing the "three Ps": Permission, Preferences and Privacy – part of what we call Consumer Identity Management.
"If you're not in a position to be able to use your knowledge of customers and digitally engage with them openly on that basis, then the discussion will probably remain only hypothetical, and someone else will."
Partner, Technology Risk
With trends like Fintech, new business threats and opportunities are much larger than the cyber threats that motivated earlier security investments. Capabilities that underpin digital business strategies – digital identity, data analytics, customer preferences and privacy – are now vitally important to long-term success.
Traditional supply chains are being disrupted by services offering superior customer engagement or product offerings supported by digital innovation. Through the eyes of a digital disruptor, wealth management, for example, offers attractive margins, potentially dissatisfied customers, scale, potential for globalisation, and a product and service offering that has innovated minimally and reluctantly.
To compete, incumbent organisations must engage with the digital economy and mature their own capabilities. Managing, and leveraging, the digital identity of current and future customers – their Consumer Identity – is now a core foundation competence. And that often requires a change in culture. For many of the trusted advisors that the CEO or board members might go to for help, the first instinct is to say no, it can’t be done, or that it would be too risky.
"Security discussions used to be about locking down data access, keeping out hackers, and protecting against a myriad of threats. But to be part of the digital revolution, you need to invite people 'into the store' to access and share information."
Director, Cyber Security Services
The alternative, going around trusted advisors like the IT department, is not an attractive option. As KPMG's Guy Holland writes: "Business leaders may be so impatient to implement a new system or digital experience that they decide to disintermediate the IT department and deal directly with agencies and suppliers. This is fraught with danger, both in terms of integration and strategic alignment, and also from a risk management perspective."
A better approach is giving the CEO the ammunition to say to their IT people: "We can respect privacy and security, we just need to use our information security tools for a different purpose, to share information, provided the consumer is in control, for their own benefit."
Almost every organisation holds customer information they could leverage with the right capabilities. And they have employees already familiar with digital channels through their own experience as consumers. Once enabled, the conversation stops being about the technology and becomes about how organisations can get down to business.
Robust data analytics that deliver insights into individual customers are part of that. As KPMG's John Teer writes about wealth management: "Providing timely, relevant, engaging and personalised information and education about the choices available to an investor will become as important – if not more so – than the underlying product."
Yes, there are challenges. If a company has the ability to analyse an individual's behaviours – even their psychological make-up – then what are the ethical boundaries? A panellist on a recent cyber security panel discussion suggested that organisations needed to build their digital literacy skills around good ethical decision-making, and we second that.
It's a very interesting discussion to be able to have. ‘Able to have’ being the operative words, because if you’re not in a position to be able to use your knowledge of customers and digitally engage with them openly on that basis, then the discussion will probably remain only hypothetical, and someone else will.
To be in the game, you need to empower staff with the technology tools, and that includes Consumer Identity Management, data analytics, and cyber security and privacy safeguards. After that, it all comes down to good old fashioned business sense.