For those of us immersed in the cyber security trenches, the findings of KPMG’s 2019 Global CEO Outlook offer a fresh jolt of adrenaline.
For the past few years, we have seen our clients sharpen their focus on cyber security as a top priority, but this year the survey also revealed that top CEOs want to turn their cyber investments into a strategic advantage and a revenue driver. That’s a large, positive shift in sentiment, but it begs the question, just how do you achieve it?
Seeing opportunity in cyber security:
According to the survey, these CEOs are assuming a more optimistic view of their cyber expenditures, with 71 percent stating they see information security as a strategic function and a source of competitive advantage. This reflects a dramatic change in opinion from what we’ve heard in the past from clients, when CEOs largely viewed cyber security as a risk mitigation measure.
This new mindset can be attributed to several factors. For one, senior leaders realize that the latest technologies can do more than improve the back office. They can also transform the front office and enable a company to introduce more customer-centric business models. Now, if companies embed cyber security in product or service design, they can deliver a customer experience that yields greater revenue.
As an example, some years ago, credit card companies turned their investments in back room fraud detection software into distinctive new cards that attracted customers with instant transaction alerts and fraud protection guarantees. More recently, cloud service providers are putting security at the heart of their offerings and providing customers with a range of bundled or a la carte security options.
Second, companies now appreciate that they can bolster their brand and increase customer loyalty by building ‘digital trust’ with customers. For years, the banking sector performed extensive outreach to convince consumers that ‘the bank has their back’ and they are dedicated to protecting their data and privacy. As a result, what this has demonstrated is the connection between a company’s reputation for solid information security capabilities and loyalty among its customers. Now we’re seeing other industries, from the auto sector to energy and natural resources, boosting their transparency since they see digital confidence as a means to strengthen brand trust, and ultimately enhanced customer loyalty.
Third, CEOs are seeing first-hand how under-investment in cyber security can constrain their organization’s growth. Increasingly, companies are asking their prospective B2B partners for cyber security assurances and a number of governments have added cyber security requirements to their procurement contracts. Cyber insurers are exploring ways of assessing company cyber risk and linking it to premium pricing. Even bond ratings agencies are signaling that they will begin to factor cyber security into their analyses, enabling investors to tangibly price the value of a company’s cyber preparations.
How to turn protection into profit:
Based on my observations of leading companies that view cyber security as a strategic advantage and a center of growth, here are a few notable practices:
- Start at the top: CEOs must take a leadership role, by championing their companies’ cyber security initiatives. KPMG’s 2019 Global CEO Outlook suggests that most corporate leaders are ready to follow their words with action.
- Empower your CISO: Ensure your Chief Information Security Officer has direct reporting and working relationships with the Chief Risk Officer, CIO, CEO or the board. Empower this individual to tackle big picture threats and demand that they avoid being buried in technical minutia. They should be more involved in strategy development, investment decision-making, and mapping the customer journey from a security point of view. The CISO can then adopt the same laser-focused mindset that organized crime groups exhibit in their relentless attacks.
- Embed cyber security enterprise-wide: The cyber security function must be integrated across the organization and involved in new service models and business process design. Security should be part of each stage of the development process rather than trying to retrofit security controls later.
- Educate customers and employees: Engage proactively with your customers and ecosystem partners to keep them informed about cyber risks and safe consumer practices. In a hyper-connected digital world, customers’ actions can result in significant cyber security risks. Remember to also educate your own employees, since they are the first level of protection, and internal errors are a frequent cause of breaches. It is important to build a culture of awareness and respect for cyber security.
- Make it easy: Customer and employee behaviors are key to your defenses. Make it easy for them to report suspected threats and be part of the solution, not the problem. Companies must offer a simple process for constituents to report cyber abuse.
- Do the right thing in your customers’ eyes: Since a cyber-attack is likely a case of when, not if, it’s critical to prepare to do the right thing by your customers following an incident. While many companies have invested heavily in prevention, fewer have dedicated the necessary resources to create and exercise their response strategy to a larger scale disruptive scenario. Clearly define how you would manage the response required to minimize reputational damage to your company and harm to your customers.
Keep in mind that you must first know ‘What is the right thing to do?’ KPMG’s recent Consumer Loss Barometer report revealed a gap between how companies believe they should act following a cyber breach and what consumers actually expect from those companies. Therefore, you must truly understand your customer expectations so you can precisely target your response and communication messaging.
- Support industry collaboration: Finally, you should not take the concept of ‘cyber security as a competitive advantage’ to the extreme. Companies in the most mature industries share information on cyber threats and their remediation work. This healthy collaboration will add credibility and challenge to your individual efforts to build trust with stakeholders. It can also reduce the cost of managing cyber risks in a sustainable manner.
Of course, it’s not easy to undertake all of these tactics when today’s ever-shifting cyber threats keep your security teams busy enough. The reality of cyber security is that you must continue to do more today than you did yesterday just to stay in the same place.
However, by incorporating these approaches to form digital trust, CEOs can achieve their vision of turning cyber expenditures into strategic advantage. Cyber security can pay real dividends, by bolstering your brand, strengthening customer loyalty and driving meaningful business growth.