Setting Up Customers for Cybersecurity Success

There was a time when businesses could afford to dismiss cybersecurity as a problem exclusively for the IT department. That’s no longer the case. As threat actors have grown more complex, so too have their attacks grown more sophisticated, frequent, and severe.

Today, roughly 560,000 new pieces of malware are detected each day, and it’s nearly impossible to look at the news without seeing at least one cyber incident that made headlines. Cybercrime, in other words, is a booming industry, and it’s predicted to cost the world $10.5 trillion annually by 2025. In the face of this, cybersecurity must be a top priority for all organizations, regardless of size or sector.

Cybersecurity can no longer be relegated to a single department.

As a solutions provider, you’re responsible for helping clients navigate today’s complicated cybersecurity landscape. You must communicate to them the importance of a strong security posture. And you must do so while striking a delicate balancing act that simultaneously manages budgets, expectations, and technical requirements.

This is a difficult task, but it’s also the perfect opportunity to earn your status as a trusted advisor. Here are six things you must account for in that regard.

1. Establish a Baseline

Every solutions provider must address five questions when discussing cybersecurity and data privacy with clients:

• What assets must they protect and why?
• What’s their appetite for risk?
• What’s an acceptable level of security?
• How can they achieve this acceptable level?
• How much are they willing to spend on cybersecurity?

No two companies will have the same answer to all five questions, particularly across different industries. A financial services firm, for instance, will have a different security baseline and risk appetite than a luxury apparel retailer. What it ultimately boils down to is education—for you and your customers.

You must determine what’s important to each client, what they want to protect, and what, to them, constitutes a worst-case scenario. You must determine the best way to prevent that worst-case scenario. Finally, you must determine if, at their current level of spend, such an undertaking is realistic.

It’s also important to ask your client whether they’d prefer to outsource their security needs or keep them in-house. Most companies don’t specialize in cybersecurity, and some may not even realize how effective outsourcing can be.

2. Learn How to Define and Convey Value

Most technology initiatives have a clear return on investment (ROI), with easily defined key performance indicators. Unfortunately, cybersecurity isn’t among them. From the perspective of the boardroom, security investments are often viewed as little more than cost centers.

The challenge lies in the fact that if cybersecurity is done right, it may often seem like it’s accomplished nothing at all. Many organizations only begin to lament their lack of security when things go catastrophically wrong. Your best bet is to focus on that fact.

Demonstrate what an organization can gain, both reputationally and financially, by avoiding the repercussions of a data breach. Highlight that in an era rife with sophisticated threats and supply chain attacks, cybersecurity may become non-negotiable. By 2025, for instance, 60% of organizations will require third-party suppliers to fill out cybersecurity checklists. Any company that fails to stand up to scrutiny will likely lose out to more security-conscious competitors.

3. Communicate, Collaborate, and Cooperate

In the context of cybersecurity, whether a particular organization is a competitor of your client is irrelevant. Ultimately, everyone is on the same side. It’s a sure bet that threat actors are collaborating to bring down their targets, so why shouldn’t those same companies work together to prevent that from happening?

The spirit of cooperation that defines the cybersecurity community is an excellent example of this in practice, and one you should try to embody in your clients. Many cybersecurity vendors actively collaborate with one another even as they compete for business. The U.S. government, for instance, is one of the many entities that have put together a data sharing forum that people can visit for information on how to safeguard their assets.

The current state of the U.S. financial services sector is an excellent example of what can be gained through a collaborative approach to security, and one you should be fully willing to reference.

4. Speak the Language of the Boardroom

As a solutions provider, you aren’t necessarily pitching solely to an organization’s security team or IT department. Often, the typical buyer’s group for a complex business-to-business (B2B) solution involves as many as six to ten decision-makers. Not all these decision-makers will be cybersecurity professionals.

In fact, it’s far likelier that many of them won’t be. What this means is that to get total buy-in, you need to speak in a language everyone understands. More importantly, you must ensure the security team’s priorities are strategically aligned with those of the wider business and well understood by all key stakeholders.

This may involve preparing an answer to one or all of the following questions:

• How will this save us money?
• Will this investment make the organization more efficient?
• How does this align with our overall business objectives?
• How can we measure this solution’s long-term effectiveness?
• How does this create value?

5. Get Everyone Involved

A cybersecurity solution that introduces friction into the user experience is ultimately self-defeating. For this reason, it’s crucial to include everyone who might potentially be affected by the solution’s deployment upfront. The alternative—that without warning, users discover their systems are slower, their data is harder to access, or their workflows are interrupted by cumbersome authentication processes—is unacceptable.

You need to strike the right balance between security and convenience. That means providing the maximum level of security in the minimum number of steps. As an example, one of our clients experiences a 20% reduction in customers completing sign-up with every extra step in the security process.

6. Security and Resilience Go Hand in Hand

In the current threat landscape, it’s not a matter of if an organization will be attacked, but when—and it’s functionally impossible to defend against every threat.

It’s a grim thought, but it’s one every organization must confront at one point. From a security perspective, that means having solutions in place that are good enough to prevent the bulk of attacks and mitigate what they can’t prevent. That way, even if a breach does occur, the organization can justify to customers, stakeholders, and regulators that they took every reasonable precaution.

It’s the foundation of a new concept known as cyber resilience—something that’s as much about people as it is about technology. We’ve always maintained that culture, not compliance, is the key to success. If an organization doesn’t focus on employee training and incident response processes as much as technology, it doesn’t matter how much it invests in advanced security tools.

Ultimately, all six steps fall under a single umbrella: doing what’s right for your customer. Remember that it’s not your job to solve every problem. Your role, as it were, is to give your clients the tools and guidance they need to address their unique circumstances and challenges.

You want to promote a level of engagement, communication, and collaboration that sets up your clients for cybersecurity success.

Aaron has over 20 years of global consulting and industry experience. After 5 years leading PwC’s Privacy practice for the West Coast, he spent a year helping a leading technology company with their GDPR implementation efforts and now provides strategic privacy advice to companies looking to innovate their use of personal information. Aaron transitioned his focus from Information Security to Information Privacy in 2008, and now consults in both areas . He has held roles including the Chief Information Security & Privacy Officer for two multi-national retailers. Aaron now leads the privacy consulting practice for Ethos Privacy and the vision for their Ethos privacy management platform.