May 1, 2007
By Jay Barbour
Historically, information technology (IT) security has been a business cost center. However, with the scope and scale of recent data breaches, including the TJX Co.s fiasco, consumers are tired of doing business with organizations that don't adequately protect personal and financial information.
Moreover, recent survey data supports the business case that security can be a competitive differentiator.
A CMO Council survey, "Secure the Trust of Your Brand," found that 76% of professional marketers surveyed believe security breaches negatively affect an organization, and 60% believe security can be a competitive advantage.
Plus, 90% of the consumers surveyed are concerned about security and believe it's very or somewhat important for organizations to have clear, visible, and understandable descriptions of their security practices."
More than a third (34%) of consumers would "strongly consider taking their business elsewhere" if a business suffered a security breach that compromised their personal information; 25% "definitely" would take their business elsewhere; 36% would "wait and see how the organization responds;" and 5% "would do nothing/not sure."
The take-away from the survey is that there are two areas for marketing your organization's "brand trust:" your organization's promotion of its security competencies and, heaven forbid, your organization's response to a data breach.
Use ordinary language that's concise and easy to understand. Follow up with a section on your Web site that explains how you've secured your products and services. Mention proactive measures you've taken against fraud, as well as after-the-fact protection from losses related to fraud. Of course, don't disclose technical details of security measures that could help would-be attackers.
Finally, provide tips and best practices for your members so they can take charge of their own security as it relates to physical security (i.e., mailed statements), online banking, and identity theft (i.e., monitoring of accounts and credit reports).
Before launching your security marketing campaign, have your legal department approve the material. Undoubtedly, lawyers will want all-encompassing terms and clauses that completely remove your organization from liability. Don't let them go too far. There must be a careful balance between making your members feel comfortable that your organization is protecting their privacy, and ensuring that you don't expose your organization to liability.
Important characteristics of a response plan include:
It's best to bite the bullet and prove to your member base that your organization is ready with an action plan, it cares about member privacy, and it will fix any security issues so it doesn't happen again.
Security as a strong marketing differentiator won't happen over night and it won't be cheapâ€”although the alternative to poor security is even costlier. A useful analogy is to look at the automotive industry when seatbelts and airbags were first mandated.
Many auto manufacturers claimed the new safety measures would add too much cost, making their products less attractive to consumers. Today, there are at least two successful auto companies that have built their brands almost exclusively around safety (hint: their names both start with a "v").
Jay Barbour, CISSP, is vice president of marketing and product management at Intrusion Inc., Richardson, Texas. He has a degree in engineering physics from Queen's University, Canada, and an MBA from INSEAD, France.