October 5, 2015
In 2015, 26% of global security decision makers consider privacy as a competitive differentiator for their organization.* But what does that even mean? And how would an organization achieve this?
Last week I was out in Las Vegas for Privacy. Security. Risk. and moderated a panel on this topic. Panelists included Michael McCullough (CPO, VP, Enterprise Information Management and Privacy, Macy's), Nathan Taylor (Partner, Morrison & Foerster), and Jamie May (VP of Operations, AllClear ID). Two things were clear:
- The ability and desire to use privacy as a competitive differentiator heavily depends on the nature of the business. For example, a cloud provider would approach this differently vs a company that sells gasoline.
- Treating privacy as a competitive differentiator vs marketing/selling with it are separate concepts. Some organizations may choose to embrace both. Treating privacy as a competitive differentiator has more to do with corporate culture, privacy practices, and your privacy team. The notion of responsible information management came up several times during the panel session. There is also risk involved with marketing/selling with privacy as a competitive differentiator; if you make a promise, you must be able to fulfill it.
So how do we make the privacy team and privacy as a competitive differentiator a reality? Some highlights from the interactive discussion among panelists and audience members:
- Build trust. See it as an exercise in trust building, and make that a part of the company culture in how you handle information (that concept of responsible information management!). There is a component of managing relationships and emotions here. Don’t have privacy or the privacy team mess up those relationships.
- Put the customer first. This is their data that they are sharing with you. It's the small mundane things that are important when it comes to the interactions that your company has and the impressions that you leave with your customers.
- Realize that your customer isn’t the only stakeholder. For example, think of the regulators and state attorney generals (AGs). It’s likely you will be interacting with AGs in non-breach situations when it comes to privacy. Build those relationships too.
- Be proactive internally. For example, invite other groups to spend time with the privacy team to understand their value add and how not all privacy issues are security driven. Or consider how the privacy team may be able to help with addressing audit conditions like data classification and expand their role to be a partner for infosec.
- Take part in planning for failure. For privacy pros, breach response is a time to shine. You can contribute to breach notification and response planning and to the actual response itself with customer-facing communications.
- Build credibility with your C-level executives. Communication matters; try to be right (a lot), and forecast out expectations and implications of internal initiatives as well as externalities like regulatory changes. Your executives don't want to be surprised. Work towards the same business goals.
- Differentiate on practices. Consider the internal (security controls for data) as well as external customer data control (transparency, choice – there needs to be a mutual benefit for both your customer and your organization if you’re asking customers for their data).
What do you think? What does privacy as a competitive differentiator mean to your organization, and how is your company making this a reality today? Let us know in the comments!
*Source: Forrester's Business Technographics Global Security Survey, 2015