This week I read an “op-ed” on data privacy and security, written by a SaaS vendor in the data management space. I agreed with much of what they said but cringed as they concluded that their cloud product would solve all data problems easily, with a minimum of effort on the customer’s part.
It got me thinking about our industry’s continuing obsession with “quick fixes” — something we know doesn’t work in education, in business, in our careers, or in our personal lives.
Why do we keep insisting on technology quick fixes? Why do we avoid the hard work involved with data security, privacy, and protection? Isn’t there a better way to support positive change?
Tech First, Tech Always
When it comes to solving information security challenges, our industry continues to rely on technology to the exclusion of people and process. Instead of thoughtful research, careful strategy setting, and long-term planning, we gravitate to products promising they’re “easy to use,” with “minimal interaction,” and “powerful reporting.” We want to skip the beginning and middle parts and get directly to the end of the story.
As a result, our data security and privacy plans read more like product implementation schedules and less like business goals, objectives, and tangible outcomes.
What would happen if we tossed away the crutches of technology? What would a process with more integrity look like? How could we make people the focal point (again)?
Who, What, Where, When, Why
One way for security leaders to become more proactive is to put away all the screens, take out a blank sheet of paper, find a quiet place (inside and out), and use the 5 W’s (Who, What, Where, When, and Why) to outline a data risk management strategy:
- Name the senior leaders in your organization who have the most to lose — or the most to gain — from data. What’s at stake for them?
- Name the one person in your organization who is most responsible for operational (day-to-day) data security and privacy. Is this a cabinet-level executive with authority to set strategic direction? Do they control budget, and if so, how does it compare with your IT, legal, or facilities budget?
- Which senior leader is most aware of and educated about data risks facing your organization? Has that person been vocal about it? If so, how?
- If your board of directors were forced to write out your organization’s one-paragraph strategy for data risk governance, what would they say?
- What data do you have? Can you name 10 different types of data you collect, store, process, transmit, buy, sell, or manage (and of those, what are the most sensitive data types, and why)?
- How much data do you have in total?
- What platforms is your data stored on, and in which locations?
- Where do you operate (internationally, multi-nationally, in one country, state, locality, in one or more industries)?
- Where does your cloud data “live”? Can you verify it?
- How long would it take to account for all your data assets? What would you provide to a regulator or investigator? How would you go about it?
- From the moment a data breach is detected, or suspected, how long would it take to begin, conduct, and likely conclude an “incident response” process? Who is responsible for each aspect of the response effort?
- What would your organization do if it had high-quality, integrated, actionable, protected data to base business decisions on? Would that have financial value, and if so, how much value?
- If your organization suffered a catastrophic data breach or loss, who would be blamed and why? What would happen to that person?
- Is better data a potential competitive advantage for your organization? How could you use it to outperform, improve, sell more, or provide better service?
It’s Never Too Late to Start
Security leaders often ask me how to get out of their technology “box” and engage senior executives in substantial business conversations.
The first thing I tell them is that it may be the most difficult challenge they’ve ever faced. The second thing I tell them is that it may be the most important skill they’ll ever learn.
One approach I’ve seen work is the “Challenger” sales approach described in Matthew Dixon’s book, The Challenger Sale: Taking Control of the Customer Conversation. In the Challenger model, you don’t try to build relationships or make friends; you teach your customers something new, educating them about challenges and business impacts, proving out your case, and offering a solution with tangible (hopefully unique) benefits.
Importantly, this has nothing to do with technology.
“Sell” Like a Challenger
After identifying Who, What, Where, When, and Why, you should take 6 basic steps (thanks to Blinkist.com’s succinct breakdown):
- Build credibility. Point out to the Board that moving all customer data to the cloud might make it more susceptible to loss and compromise.
- Reframe the problem. Mention that secure data sharing creates deeper customer loyalty and repeat business.
- Prove your point. Show recent research proving how customers increase repeat purchases and generate higher Promoter Scores when their information is actively protected.
- Demonstrate direct impacts to the business. Highlight an alarming trend: the business has had lower customer retention and recurring revenues over the past several quarters.
- Propose a new approach. Tell your Board “our customer data could be more than just something we have to provide — we could offer unique, data-driven insights to our customers (something our competitors don’t offer), and develop new ways to engage more deeply throughout the customer lifecycle.”
- Offer a solution (now that your audience is convinced). Suggest selectively migrating customer data to the cloud, creating a secure customer portal that provides data access AND insights into activities, and providing direct links back to your e-commerce platform for additional purchases.
Lining Up with the Bottom Line
Instead of nagging senior leaders — for the thousandth time — not to go to the cloud (because it’s not safe), take them on an educational journey about how to improve customer retention and pump-up revenues (while just happening to achieve your data protection goals).
Is this approach simple or easy? Nope. Is there a technology quick fix here? Not at all.
But this approach works. It will help you redefine and elevate your role with senior leaders, and meaningfully align you with the organizational mission.
You’ll go from being both a victim and a scapegoat, to becoming a partner with a seat at the executive table.
To learn more about building out a comprehensive data risk management program, check out Infolock’s Data Risk Management Framework
To learn more about Matthew Dixon and the Challenger approach, check out challengerinc.com
To learn more about bite-sized non-fiction reads, check out blinkist.com
Sean Steele is co-founder and managing partner at Infolock.
- Ullico gets proactive with data risk
- 4 in 4: 4 Insights From My First 4 Months at Infolock
- American College of Radiology Chooses Infolock
- Challenge the Status Quo
- Data Breach Cynicism Takes Hold
- CISO, We Have a Problem
- The Four Do’s of DLP
- The Demise of Symantec?
- Drowning in Data?
- Vendors Know You Too Well
- Banishing the Backseat Drivers
- Throw a New Year's Curveball
- Managed DLP Services
- “It’s the Data, Stupid!”
- Peak Vendor: Reclaiming InfoSec Priorities and Budgets in the Age of Big Marketing