Cyber Security Strategic Lever

2. Cyber As Strategic Value Driver

Cyber can be a strategic profit lever and value driver if and when leaders become intentional

There are different elements of strategic value creation for businesses and these include: 

The strategic value driver of cyber is often overlooked or neglected by business leaders as we’ve outlined above because there’s a central focus on risk mitigation and rightfully so. However, the hidden potential and opportunities remain buried for most organizations. So what are these opportunities? There are several but here we focus on four essential strategic opportunities to consider:

• New revenue-creation opportunities

• Cost efficiencies

• Operational Speed

• Consumer/Customer trust 

New Revenue-creation opportunities - leverage security for above the basic foundational security for products/services. may fall into the following categories:

Premium offerings of digital products and services. The central idea here is to leverage your organization’s strong cyber capabilities to fulfill unarticulated customer needs. We recommend adopting the jobs to be done approach popularized by the late Clayton Christensen to understand the functional, emotional and social needs or jobs to be done. The objective is to combine your cyber capabilities with existing organizational competencies to form a new value proposition and premium offering for customers. Best buy offers a remote patient monitoring service (combining health, convenience & data security) that provides a high touch customer experience for example. This offering involves a significant amount of data and undoubtedly factors into develop such an offering. Best-buy has the geek squad to leverage here.

Sometimes cyber can be the core of the premium offering and doesn’t need to combine with other strengths of the organization as in the case of some web hosting services that offer premium security protections for websites. In this case, it’s like the incremental offering of a safety deposit box offered by banks. In some other cases, cyber can serve as a competitive differentiator where cyber risk mitigation is highly valued. Dr. Manuel Hepfer, Head of Knowledge and Insights at ISTARI and a Research Affiliate at Oxford University's Saïd Business and contributor at the World Economic forum shares his perspective - In my research at Oxford University, I spoke with executives who have started to view cybersecurity as a strategic asset. These leaders, having guided their company through a survival-threatening cyber attack, began using their cybersecurity accreditations to create new value propositions for customers…One CIO told me, “We have won two significant bits of business and we won because we are one of the only companies that are accredited to security standards. That is starting to become a differentiator for us.”

We ourselves have experienced the benefits of clients valuing select consulting firms over their competitors based on their ability to provide cyber expertise through partners or collaborators. Whatever form it takes, exploring how strong cyber capabilities can open the doors for new premium offerings is worth the time in our view.

Remember to include blackberry and wealth/investment management examples.

Cost Efficiencies - How does strong cyber capabilities create cost efficiencies and operational speed advantages for an organization? Before outlining three examples that illustrate these advantages, it’s important to highlight the foundational assumption here that these advantages only exist for organizations that have considerable operational digital assets and capabilities. In other words, if an organization employs only limited digital assets and capabilities, then having a strong cyber risk mitigation and/or resilience capabilities won’t provide any meaningful or substantive advantage

There are three main cost and speed advantages of having a strong cyber posture

1. Cyber Insurance Premiums - these are lower when strong cyber capabilites are present

2. Operational Speed & Agility - product launches, M&T timing and new Opportunities. Operational velocity can be a competitive advantage and a key differentiator. And cyber strategy can either accelerate it or slow it down. For example being able to ensure adequate cyber security for products (e.g. Johnson Controls) before product launches or delays in product launches due to cyber risk concerns. Leaders whoe are sensitive to such false product starts will delay launches until adequate cyber is in place. Alternatively cyber that’s integrated and included into business operations and product launches from the start relatively speed up the product launch cycles comparatively. Organizations can get left behind if they don’t have the capabilities to meet market demands in a timely fashion and if security puts on the brakes because of significant cyber risks, then competitors can gain market share and mind share

4. Incident Resolution Times - incident investigation and resolution time. The more direct costs related cyber are those that are tied to material cyber incident and data breaches. In other words, if you don’t have cyber, the likelihood of these incidents and associated costs go up. Other indirect or hidden costs include incident investigation and resolution times.

Consumer/Customer trust :

Brand Trust: Strong cyber capabilities can help influence/contribute to brand trust across two broad dimensions. There are two broad dimensions that are important to consider when exploring how to leverage strong cyber capabilities to influence brand trust. They are the reactive and proactive dimensions and we explain each below.

Reactive: A common example of reactive brand trust in the context of cyber capabilities and digital trust is the response of an organization to a data breach or material cyber incident. In simple terms, trust is either elevated or diminished based on the organization’s response to a material cyber incident. For example, data breaches and poor response to them.

Some/Most organizations however, don’t leverage these incidents successful and effective responses as a strategic asset for the company. They’re not intentional about marketing their response capabilities to other customers that may care about cyber, rightfully so, as some don’t want to invite unnecessary attention to their cyber capabilities. This is very tricky and most prefer not to steer clear of the incident altogether. However, for public companies that have to disclose material incidents to the public via the SEC cyber rules, this strategy may be worth considering. The incident and response will already be available to the public who will begin to form their own narrative of your brand trust. It may be worth considering how to utilize these successes (assume they are successes) to influence and enhance trust in your brand.

Cyber incidents are going to occur, the main differentiator is going to be how organizations respond. Of course, to respond effectively, you’ll need strong cyber capabilities and strategy. You can’t makret secure 1-day delivery if you can’t deliver shipments in 1 day or less. And if you can consistently deliver in 1 day but nobody knows that, then you’re not effectively influencing your brand. Imagine if Amazon could ship in 1 day but nobody knew about it.

Proactive Dimension: The second is the proactive dimension and this can be more challenging for some organizations. Proactively influencing brand trust using cyber means not waiting for an event/incident or data breach to trigger the effort to demonstrate cyber trust. It means proactively demonstrating cyber trust signals that stakeholders, including customers, value. It’s important that stakeholders value these signals and their underlying value. Otherwise, this will be ineffective. The concept of non-cyber trust signals and markers is used in a variety of industries, services and products today already. These include USDA, FDA, FDIC, Visa Secure, Bond ratings (Triple AAA, etc.). Hyundai used warranties effectively as a trust signal/marker to elevate the brand recognition.

Not the same as compliance without commitment , although compliance does play an important role.

For technology providers, these include SOC2, CMM -maturity models. US Cyber trust mark used for IoT or consumer products is another example in the IoT space. These markers help to differentiate the organization, product and/or service and signals to those that value data and digital security that the organization takes cyber seriously enough to make every effort to keep their data safe but more importantly to respond effectively to reduce the impact and provide meaningful remedies at no cost to the customer or client.

Additional ways to leverage cyber trust to proactively influence brand trust include:

Cyber trust warranties

Periodic client/consumer cyber awareness training - not for internal but for clients

As noted earlier, for these markers to make a significant difference in brand reputation, the customers/clients must value cyber security.

Business customers may value this more in making a selection for their service providers, etc. …include Examples

Move to conclusion and wrap up

In summary, cyber security/trust has a substantial contribution to, can play a more significant role as a strategic asset for organizations. A role that goes beyond the operational necessity of keeping the lights on and preventing/remediating loss but of contribution to value creation and realizing gains. This can be derived from new and combined sources of revenue, cost efficiencies, operation agility/speed and brand reputation. This reframing requires a subtle but needed change in mindset; from cost center to profit lever. If the role of cyber and technology remains that of order taker from the business, subservient to the business, realizing this shift in mindset becomes more difficult. Instead, the role of cyber can and should be redefined as serving customers/clients in ways that work for the business as product manager author Marty Cagan states. This is different from serving the business because it focuses on driving value creation for the end customer/client and not just providing what the business asks for. Why? Because, sometimes the business may not be aware of what’s possible and therefore limit their requests to what they know is possible, which often times is different from what is truly possible with cyber security capabilities. May we gain the wisdom, and courage to explore how to leverage cyber as a strategic asset specifically for our unique circumstances and organizations.

…include Examples

Cyber can be a strategic profit lever and value driver if and when leaders become intentional

Cyber Resilience. Emerging Risks.

Business value creation of cyber security

Cost center into profit driver

Brand and reputation damage

Cost efficiencies - paper checks and digital payments secure

Security strategy allows contractors to work remote with productivity gains

Speed - operational speed

Drive down insurance costs

HR was a cost center but now with TSR is a strategic lever. Supply chain was a cost center and is now strategic, (e.g. UPS using AI DeliveryDefense as a differentiatior, customer service call centers? the same thing

Cyber helps you see IT and profit levers - identifying new (business) strategic opportunities

Generate strateic value from cyber. Build cyber capabilities as a strategic value engine

Can a robust and effective cyber security capability create new value for your business; new value proposition for customers or other competitive advantages resulting from operational velcoity? Most of us are doubtful that this is possible because cyber has traditionally been viewed as a cost center and not a profit lever. We’ve historically viewed cyber and IT in a support role/function (vs a core function) that’s somewhat necessary for doing business. 

However, in the digital economy, cyber and IT are no longer support functions but are core to the business. Some organizations have not made this shift in mindset yet and understandably so. Because it’s not easy to change mindsets unless there’s a compelling event that forces us in the direction of the mindset change that we should have found ourselves (i.e. absent the event). 

Yet there’s a significant benefit if we can make this change from cost-center to profit level without experiencing a compelling event (e.g. data breach, material incident, new regulation, etc.) To implement this change in mindset we’ve outlined some foundational principles and philosophies that are worth considering 

Mindset: Out of a single mindset flows a thousand different behaviors. If you view IT and cyber as something to keep the lights on then its difficult to see the opportunities it has to make material contributions to the bottom line. Recognizing that this shift needs to happen is the first step and it begins with the CEO. The CIO and CISO can help but ultimately the CEO has to sustain this perspective for the long-term benefits to be realized

Relationships: currently one-way relationships now for the most part meaning, IT and cyber speak business terms or engage in the business. In some instances, cyber is in reactive mode waiting for IT and business decisions and then implementing cyber practices after the fact. Some cyber chiefs are brought into the conversation at the end of a major business decision (e.g. M&A, business strategy planning). Proactive relationships where both business and cyber are engaged proactively in learning about each other, their respective roles, opportunities and challenges, This should be a two-way street and not just cyber learning about the business but also the business learning about cyber; not to become a cyber expert but to understand the implications of various cyber functions and to be conversationally literate and fluent in the language. Confident to engage but not so much to teach unless interested. 

Operational Speed / Velocity - Speed To Value

Develop learning strategies

Apply growth mindset and principles to the challenge

Implement new value shifts and leadership transitions 

Model the mindset for other members of the leadership team and even the board

Invest in yourself and future growth and development - digital is here to stay and so is cyber. It’s not going away. 

There are different elements of strategic value creation for businesses and these include: 

New revenue-creation opportunities

Cost efficiences

Operational Speed

Consumer/Customer trust 

 Mexico trip analogy - 

Unfortunately, my perception of Mexico city had been influenced by reports of violent drug cartels and stories of kidnappings so I was mentally resigned to not visiting the city. And I didn’t see a need to either until I was presented with an opportunity to help a client and was told I needed to visit Mexico city and/or Merida. At first I said no but my client reassured me that they would ensure my safety. I ended up visiting and it was a great experience. As a result, we have new client/customers that we otherwise wouldn’t have without the security offered by my first client. Likewise cyber security does the same thing. 

Competitive 

Mindsets and principles 

Cultivate business relationships proactively. Requires value shifts and trust building 

Create value for relevant stake holders. A give mindset and not a stop or take (things away) mindset 

Out of a single mindset, flows a thousand different behaviors 

Values influence mindsets