Executives tend to fall into three camps when it comes to understanding cybersecurity’s strategic advantages.
- Leaders who see information security as a discretionary cost. This mindset may last for a while, but it always turns out to be temporary. That’s because hackers attack small companies, too, along with companies that think no one would want the information they have. When “if a hacker attacks us” turns into “when,” the leaders move into the next category…
- Leaders who see information security as a cost they pay grudgingly. To this group, securing their data may feel like upgrading the building’s heating system. Paying the bill just preserves the status quo rather than getting you anywhere. This mindset at least protects the company, but it’s still a limited view that leads to missed opportunities.
- Leaders who see information security as an investment in future growth. Motivational speakers love to quote Wayne Gretzky’s observation that he skated to where the puck was going to be, not where it has been. Make no mistake: For businesses, the puck is undoubtedly going to be waiting on the other side of a strong cybersecurity game.
Right now, the third category remains a fairly small club. It’s not quite a first-mover advantage anymore, but activating a proactive information security strategy as a marketing tool certainly puts you ahead of much of the pack. So forward-thinking leaders still have a window for using cybersecurity as a business advantage.
Pratum’s consultants help clients do exactly that. Jim Sixta, a senior information security consultant, advises clients to ask themselves: “If you’re in your future clients’ shoes, what are they going to require of you? When that client comes knocking on your door, you won’t be able to say yes unless you start working on it now. Customers won’t give you time to comply. They want to get a quote and go.”
Here are five areas where information security plays a central role in planning for your business’ growth:
1. Industry-specific requirements – Longstanding regulations like HIPAA may already be part of your business operations. But as the cybersecurity industry matures, sweeping new standards are on the way. Beginning in late 2020, for example, the Department of Defense will begin adding CMMC compliance to its contracts, with every contract including this requirement by 2025. In all, that means about 300,000 companies must earn this certification through a third-party assessor in order to win or renew work with the DoD.
2. Government privacy standards – We may be nearing Peak Outrage over how titans like Facebook and Google have been handling all of our personal data. In response, multiple countries and states are passing new laws controlling how companies collect, store and use personal data. If you’re not already clarifying how laws such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act affect your operations, Wayne Gretzky’s puck is likely to hit you in the face soon in the form of mandated operational changes and fines for those who fail to comply. (For an overview of recent changes in this area, see our blog on privacy laws.)
3. Current client requirements –Even if you’re taking a “let’s see what the government makes us do” approach, many of your best clients aren’t waiting around.
Throughout the private sector, detailed information security questionnaires and grids have become standard due diligence components for many companies selecting vendors.
Pratum CEO Dave Nelson says, “Wal-Mart, for example, has been pushing aggressive security requirements onto its direct suppliers, which are being pushed down through the supply chain. Wal-Mart wants to know that if they accidentally send out a confidential file, they have one response, not 50 different responses in each state. You can be three customers away from Wal-Mart and still be part of the ripple effect.”
Nimble companies can respond quickly to requests from potential customers because they keep updated statements about their cybersecurity posture and workflows. Imagine how it affects your chances of winning a deal if it takes you two weeks to fill out a security information matrix and your competitor sends theirs back on the day it’s requested.
Customer requirements may include elements such as earning a SOC 2 certification, which can take up to 18 months if you’ve never done it. If a competitor coming after your customers already has that certification and you haven’t even started on yours, you may quickly find out just how loyal your key clients are.
4. Dream client requirements – This is where another favorite motivational slogan comes into play: Luck favors the well prepared. If a client appears on your Big Hairy Audacious Goals list, they’re almost certainly on the front edge of information security. When your dream customer reaches out with the opportunity of a lifetime, will you have the security game to close the deal? Multiple Pratum clients brought us into the picture only after they had to turn down work from clients like giant national retailers because they couldn’t meet the security requirements. Next time, they’ll be ready for the deal that transforms their company.
5. A new selling point – Based on all the points above, if your information security stance is ahead of the pack, you have a marketing advantage. You can take that into all of your pitches with the message that you’re ready for secure business on Day One, which also speaks to your company’s overall position as a savvy market leader.
One of Pratum’s industry partners, Baker Group in Iowa, has identified a robust cybersecurity stance as a key way to separate from other building services contractors when it bids on new work. “We’re engaging Pratum to create a competitive edge,” says Daryld Karloff, Baker Group’s executive vice president of building services.
How to Prepare for the Future
Upgrading your information security posture needs to start immediately. If you haven’t focused on creating a future-ready information security plan, you may have already lost opportunities that you won’t even know about for a few months. But the good news is that this world is still young enough that you can turn your company into a leader.
To start creating an information security plan that positions your company for growth, contact a Pratum consultant.