Is security just an afterthought? Not according to Infonetics Principal Analyst Diane Myers, who says it’s the #1 criterion for buyers of cloud communications. The fact that security is the most important concern among enterprise IT decision-makers is strong evidence that companies that do a good job at security could find themselves at a competitive advantage over their less-secure rivals. But how can you get your company to really focus on doing security right—not just because it’s the right thing to do, but because it’s financially sound?
It’s easy to see why so many CIOs and other senior managers say that security is their first concern. It’s not hard to think of dozens of organizations that have suffered security breaches—Target, Home Depot, the IRS, Anthem, CareFirst—and dozens more. We all know of companies that have taken huge hits, in terms of reputation, fines and financial losses.
But few companies stop to think that just doing a better job at addressing security problems can be a competitive advantage for companies that do things right. Organizations that sidestep such problems are often better run in other ways—because they’ve evaluated their processes and thought through how they can improve them. They also avoid the fines, wasted time, and loss of reputation that their less security conscious peers suffer.
And organizations that think of security and compliance as more than a useless formality avoid the time wasted later, when the impacts of a lot of bad decisions and looking the other way are so much worse because they have festered for years.
Security and compliance directives rarely work unless they come from the top, so you have to get upper management to 1) make a commitment and 2) understand that it will take resources and reinforcement of good behavior—and maybe even exposure of bad practices—to make the commitment “stick.”
The key to this is quantifying the negative financial effects of a breach, and the positive effects of being an industry leader in the field, or of providing extra-secure products or services. In the case of 8x8, for example, we were able to turn our compliance with various requirements such as HIPAA, FISMA, PCI-DSS and Safe Harbor laws into an advantage in the cloud unified communications arena. None of our direct competitors advertise that they comply with all of those objectives, which is understandable, because it requires a lot of work—but it has paid off for 8x8. We can now use our compliance as a competitive feature.
Schedule a meeting with top decision-makers, and be ready to:
Most people who go in prepared—and can talk about security and compliance’s effect on the bottom line—are able to get top management to endorse their plans. But that’s just the beginning. In an upcoming blog, we’ll talk about a woefully underused secret to help get everyone in your organization to take security seriously.