It’s human nature to prefer the easy path and be frustrated by challenges that get thrown in our way. In business, challenges usually mean we have to outlay capital to address them or see a dip in our corporate results. But we see time and again that challenges seen in another light present opportunity to those willing to have the foresight and appetite to embrace the opportunity.
For some forward-looking companies, the challenges posed by cybersecurity threats present an opportunity to differentiate and gain monetizable advantage—for the most forward-looking, I believe privacy will be the next big opportunity to differentiate.
Let’s take a look at how I come to this conclusion. First, both cybersecurity and privacy are categories of corporate risk, and they must be addressed to meet compliance requirements and minimize the possibility of brand damage. What may be an ‘aha’ moment for some is that corporate risk itself provides not only an opportunity to fail, but an opportunity to gain. In many ways, capitalizing on corporate risk isn’t unlike investment risk. Few of us keep all our assets in cash, since we understand that while there is risk in investing in the market, the opportunity for return is far greater. We have 401Ks, stocks, and bonds, since we understand taking the risk could pay greater dividends over the long run.
Yet many companies see corporate risk as something that needs to be managed through lawyers and the minimum staffing and budget required to address it. However, for consumers, certain categories of risk represent significant enough concern to become a purchasing criterion. Herein lies the opportunity.
There’s no question that the public is concerned about cybersecurity. For years, headlines in bold font have been telling stories of hacks that have exposed the personally identifiable information of ordinary citizens across the globe. These incidents have not only increased concern for security in the public, they have caused untold damage on the brand image of the hacked enterprise. If consumers and enterprises choosing third-party vendors are concerned enough about risk, they will begin to choose products and services that clearly call out their security features—and increasingly, some companies have pulled cybersecurity into their core strategy and are highlighting their cybersecurity advantages to tap into the opportunity this presents. Expect to see more of the same. Consumers have plenty of choices and can easily choose products and services that cater to their concerns. The most forward-looking companies will be ready to provide these options to a concerned public.
We are just in the early stages of seeing cybersecurity used as a differentiator. Looking farther forward, privacy is likely to be the next risk-based challenge to convert into opportunity. Let’s look at how privacy is following in the same evolutionary footsteps as cybersecurity.
Cybersecurity: The Model for Risk Resistance, Acceptance, then Differentiation
Cybersecurity and privacy are distinct issues with differing challenges and outcomes, but from a public view, they evoke similar responses—people have lost control of information about them, have an unsettling lack of certainty about what is going to be done with that data, and fear the consequences.
Cybersecurity risk came far earlier than privacy concerns in the United States but both appear to be following a similar path in how organizations and regulatory bodies respond, giving us a good indication of how privacy will likely play out over the next months to years. Below is a simple timeline of how companies responded to the emerging cyber threat:
1. Ignore It:
Initially, as the internet enabled mass gathering and storage of at-risk data to enable digital business models, IT was charged with assuring the ‘CIA Triad”: Confidentiality, Integrity, and Availability of information. Before cyberattacks regularly hit mainstream and regulatory bodies jumped into the fray, companies hoped that IT teams would be able to handle issues as a they arose.
2. Do the Minimum:
Yet cyberattacks didn’t remain on the sidelines; they continued to escalate and put Confidentiality, Integrity, and Availability at risk. Regulatory bodies began to institute some guidelines and mandates, and because it could no longer be ignored, companies diverted just enough staffing and budget (usually one or two IT staffers assigned cyber responsibilities) to begin to focus on addressing cyber risk in specific and avoid being negligent.
3. Move It to a Core Business Function:
Both public and private-sector organizations alike had to yield to the inevitable—cyber risk had become such a critical business issue, potentially effecting business reputation and even viability, that it had to be considered a core business function. The CISO role and dedicated cybersecurity teams were implemented in mid-to-large organizations and few organizations neglected to give it focused attention.
4. Recognize It for What It Now Is: An Opportunity to Differentiate:
We are here: some companies today recognize that, in the wake of high-profile retail, product, and services breaches, cybersecurity can be a point of differentiation.
Privacy in the Public Mind
I will argue that like cybersecurity, privacy can no longer be ignored. Certainly not in the European Union where it is already shifting into a core business function. Not even in the United States where regulatory bodies and state governments are only beginning to dabble at privacy in isolated industries or localities.
Privacy—or the individual’s ability to know and control who their data is shared with—is viewed differently in the EU than in the United States. In the EU, which has a different history and cultural heritage, there is a stronger historical mindset and belief that individuals should be able to protect their privacy. For that reason, the EU has led the way in privacy regulations in the form of the General Data Protection Regulation (GDPR), a sweeping set of requirements that mandates the individuals’ right to understand with whom their data is shared and demand that information be deleted upon request by companies that store or process this information.
GDPR is backed by stiff fines for non-compliance and meeting its guidelines requires significant re-architecting of processes and data flows, and even the appointment of a Data Protection Officer. There is little debate that it is now a core business function for many EU enterprises and even U.S. enterprises that serve EU citizens.
There are ongoing questions about how, in what manner, and when actual fines will be levied. But organizations must not lose sight of the important fact that it is the public that is driving the actions around privacy; it is the public that has options; and it is the public that will be the final arbiter upon companies that fail to comply with privacy considerations.
In the United States, the privacy great awakening grows. While U.S. history and structure formed a society far more focused on capitalism and a less privacy-conscious public, the momentum is nevertheless growing. Recent news about Facebook selling customer data to researchers that was ultimately used for political leverage—and the public response to this news—is an obvious example. Uber has also been under scrutiny for releasing passenger information to state regulators as well as allegedly making it visible to employees; Google is now also under the spotlight. These companies are making significant investments to respond, improving their privacy practices, but other companies will not be immune to similar inquiries. The state of California signed The California Consumer Privacy Act of 2018 into law on June 28, 2018, just a few days after being introduced into the California Legislature. This law is very similar to GDPR to protect the privacy of California consumers—will other states follow suit?
If this trend continues U.S. companies will ultimately have to be accountable to their consumers if not also regulators. Today there are minimal options for migrating off some of the major platforms—but in time more viable options will be created. Top players will be in position to either yield to consumer demand for better individual privacy controls or watch as their users trickle off to entrepreneurial new platforms that arise to meet the demand. However, changing business models takes time—so only those with foresight will be ready to meet this trend, should it continue.
Privacy is considered a core business function in the EU, and if cybersecurity serves as a repeatable model, it could well continue to move forward to a point of differentiation regardless of geography. Directors should ask themselves today what their appetite is for embracing challenge, and turn today’s challenge into tomorrow’s opportunity.