When talking about cybersecurity, highlights tend to be about breaches, costs, and different methods businesses can apply to contain and reduce both. There are also a number of industry studies, like those conducted by the Ponemon Institute, that help to identify what’s going on in the cyber and tech world, and what new security threats are emerging. This is all helpful in sharing insights and practical techniques that organizations can use to stay on track with their risk management needs, but what about measuring security from a business perspective?
Knowing exactly what an effective security posture does for a business is just as important as knowing what vulnerabilities and security risks are lurking around. So instead of talking about breach or the components to your risk management plan, today we’re going to talk about key performance indicators (KPI) in relationship to data security.
Even though in practice, and in technical terms, KPIs are metrics that organizations usually use to evaluate how specific areas of business are performing (so that they can make improvements in those areas), if we take an expanded approach to them and apply them to the successful performance of the organization as a whole, there are three that stand out and that are impacted by an organization’s level of security.
Brand – brand image, brand loyalty, brand feeling association.
When it comes to brand image or loyalty, or the feelings associated with a brand; there’s no need to say that any hint of insecurity and you’ve inserted doubt and fear with your brand. It’s not to say you can’t win that trust back, but you’ll have to prove security first. Just think of Target. Granted, they suffered a mega breach and are a well-known brand; but still, because of the size of the breach and their handling of it, their brand suffered big time. For the first year, they lost a lot of money and to this day, there are people who will not use their credit card when shopping at Target.
The size of breach and how businesses handle the breach makes a big difference in the actual damage a breach can have on your brand. This is why your incident response team is so important. If they are the right team, they will contain the size of the breach, as well as assist in an effective response. As long as a business is prepared to act effectively when breached, the damage to your brand image will be minor compared to you finding yourself totally unprepared. Being proactive versus reactive with security makes a huge difference in how your brand will be perceived following a breach, no doubt about it.
Customers – retention of existing customers, attraction of new/potential customers, customer trust, customer referrals.
Every organization needs customers to stay in business, but not only do you need to keep your customers you also want them to use your services and products. Did you know that a majority of consumers don’t use mobile banking because of security risks? Yes, it involves their finances, so that’s understandable; but think of what that means in this digital era. Mobile apps aren’t going away, neither is the adoption of the cloud. Both can be used to create a better user experience, as well as employee experience. So if your customers aren’t going to use the advances you make in tech to enhance their experience when doing business with you, you’re losing a chunk of business. Furthermore, when reaching out to new customers or when counting on customer referrals, your efforts are weakened if you can’t prove you’re conducting cybersecurity with confidence.
Even though customers are not in the business of security, they read the headlines. The headlines are talking about every breach, big or small, that is happening. If you add the lack of knowledge that consumers have about cybersecurity that means any hint of the opposite can cause panic. It’s like flu season, people rush to get their vaccines or don’t because they don’t understand the extent of what they’re being told by the media. Some rush to the experts to make sure they don’t get the flu, while others think it’s an exaggeration and just a way for pharmaceutical companies to make money.
Your customers and potential customers may not fully understand security, but that means that the slightest sign of danger will push them away from your business. This also means, customers won’t refer business your way. The best way for you to maintain and create customer trust is to take security measures that go beyond compliance, as well as educate your customer about security and what you’re doing so that they can understand and feel safe in using your services or products.
Partnerships – suppliers, providers, business associates, consultant firms.
Even though you may not be looking to partner up with anyone in the real sense of partnership, you most certainly work with other businesses. Whether you’re actually trying to close a contract with a business associate or whether you’re doing business by buying products or services, these other business entities want to succeed in business. This means they won’t do business with an organization that can ruin their reputation. Other businesses, like healthcare providers, actually need their business partners to maintain security compliance, as well as prove security year-round. If you are a company that works with other businesses to run your own business, you need to know that closing that contract can depend on what security steps you’ve taken (besides the standard compliance requirements). If you don’t partner up with businesses, but you’re still involved in some type of business exchange, a breach can cost you that working relationship. No company wants to instill fear in their customers for doing business with an organization that doesn’t take cybersecurity seriously, and no company will invest in a partnership unless they’re sure their investment is safe.
These three business KPIs mean the long term success of an organization because they are the foundation of actually staying in business. This layout will hopefully help the CIO have something to present to the CEO and board that makes a difference when it’s time to discuss the security budget. They also should help the CEO and upper management get a crystal clear picture of the how cybersecurity keeps them in business.
As a security company that aims to help you succeed in risk management, we hope you will reach out to let us help you stay in business. Even if you walk away from the call, simply with some additional information on where you stand with data security at the present moment, at least you’ll be in a better place than before.
Photo Courtesy of donskarpo