Security and privacy are bad words with bad histories, evoking bad connotations with most enterprise stakeholders. For companies to succeed at safeguarding their data, these words must go away. Here’s why:
Information security and privacy protections as we know them today are a response to the ills that have befallen enterprises over time. Enterprises experience a problem or incident and don’t want it to happen again, so they find the most practical way to eliminate it or mitigate against it. As a result, security and privacy practices tend to be restrictive. Furthermore, there seems to be no natural home for security or privacy in the corporate hierarchy. Every organization uniquely figures out where best to place them-so long as the chief executive doesn’t have to be too bothered.
As a consequence, neither security nor privacy has been associated with the positives of most institutions or with their strategically important initiatives. They are clearly not viewed as activities that will help enterprises gain market position, enhance their reputations or provide competitive advantage. Money and investments focused on security and privacy are most often viewed as insurance premiums-to be kept to a minimum consistent with the negative risk experience of each institution. Such spending is certainly not perceived as an investment for winning stakeholders, sustaining excellence or achieving market leadership.
But today’s world, where an increasing majority of institutions do business online using telecommunications networks that span the globe, security and privacy protections expressed in negative terms don’t make the grade. Enterprises need a positive approach that positions avoidance and mitigation of information security and privacy risks as built-in elements of their business model. They must adopt an approach based on winning the trust of all stakeholders-customers, employees, channel partners, contractors, vendors and shareholders all. Trust means stakeholders feel safe in the hands of these enterprises and are confident in the secure delivery of their products and services along with protection of their private information.
In fact, trust is good business and is a good business practice.
How Companies Secure Trust
Given the status of security and privacy today, the CIO is most often anointed as enterprise information security and privacy champion. Therefore, CIOs should lead the enterprise to a trust-based business model. The first step is to rethink how the business can engage all stakeholders in a secure and private manner through its technology-supported business processes.
Trust must be earned every day through consistent operational excellence, which includes leading-edge information protection. When stakeholders’ experiences with an institution consistently meet or exceed their expectations, these experiences build awareness, then breed familiarity and finally, earn trust-which inevitably translates into profit. In this way, trust undergirds enduring success.
Take as an example American Express. As an employee there in the late 1960s and early ’70s I participated as Amex established one of the earliest global financial networks. Amex provided its card members and service establishments with, at the time, a revolutionary new way to do business: They could execute secure and private financial transactions anytime anywhere in the world. To make this so, Amex created an operational approach to ensure that transactions would be absolutely accurate, fully consistent with the individual’s ability to pay and protected to the fullest degree practical against fraud and disclosure.
The linchpin of this model was and is the magnetic-striped card that identifies and validates individual card members and other authorized stakeholders to use the integrated global network. Driven by Amex’s then CEO, the offering from its outset focused on using technology and innovative business processes (many of which had to be invented) to capture the frequent traveler market. The model also had to assure service establishments accepting the card, as well as corporate management and financial institutions that fraud would be strictly controlled.
Amex’s approach, with systematic enhancements, has endured for nearly 40 years and continues to earn the company trusted status around the world. As proof, Amex was voted as the most trusted company in the United States two years in a row by respondents to a survey by the Ponemon Institute, a privacy think tank. Amex’s trust-based approach to security and privacy has won it a preeminent position in the financial services industry worldwide.
How Trust Works
The Amex example offers several insights for enterprises operating in a networked world:
Being “networked” is a communal choice, one in which the degree to which operations are secure and sensitive data is protected is defined by the capability of the least secure player.
Trust among interdependent partners is as important to the providers of products and services as it is to the recipients.
Access to the network must be as near to instantaneous as practical or users will find alternatives. They may wait patiently for access for a few milliseconds, but certainly not for a minute or more.
Human assistance is vital. There will always be the need to deal with exceptions that exceed the logical capability of computers. Therefore, a company must ensure that a human being, armed with as much supporting information as possible, is available to deal with non-standard transactions. In this way, users can feel they have received the best possible resolution of their needs.
Securing the network and the information it transports requires an end-to-end design that encompasses all elements of the transaction process, not a collection of bolted-on technologies and techniques added periodically in response to isolated incidents.
A final lesson from Amex is that the CEO and board of directors must be proactive, fully engaged participants in the strategy to build and sustain trust. Amex’s most senior executives view cardmember trust and the assurance of fully secure access to its network-delivered products and services as essential elements of their business model and stakeholder value proposition.
A trust-based business model is also a natural extension of enterprises’ commitment to compliance with Sarbanes-Oxley (SOX) regulations and the transparency that results. Moving to a trust-based model builds upon and expands the scope of SOX from its nearly singular focus on financial controls to an emphasis on the end-to-end operational value chain and all of the embedded processes and techniques designed to secure it. Importantly, thinking about trust in conjunction with SOX brings the CEO and the board into the equation-better ensuring their active engagement in setting critical strategies and policies.
Redefining Security and Privacy
Given pressure from stakeholders and the demands of regulators, the key to enterprise growth and the CIO’s long-term job security is the CIO’s ability to reshape his company’s thinking about security and privacy. They need to create incentives for their executive management to create an operating model that earns stakeholders’ trust.
If they are successful, security and privacy will change dramatically. With direct CEO- and board-driven leadership, security and privacy will become embedded in investments in new ways of doing business as opposed to being add-on insurance premiums. They will provide new pathways for engaging stakeholders and winning their loyalty.
The payoffs from moving to a trust-based business model are high-perhaps even a matter of survival for some enterprises and some industries such as financial services, media and health care. Thus, trust will emerge as the new basis for securing enterprise operations and protecting stakeholder information from all risks-strategic, operational and tactical. Companies will use trust to forge new alliances with stakeholders by guaranteeing secure and private interoperability. And in doing so, companies will define competitive success in a global online real-time marketplace.
John C. Reece, chairman and CEO of John C. Reece & Associates, is the former CIO of the Internal Revenue Service and of Time Warner. He can be reached at firstname.lastname@example.org.