Marketers face the daily challenge of setting products and services apart from competitors. Too often, security is used as an after-the-fact, due diligence criteria. In today’s digital world, data security can be a valuable differentiator. How do we change security from an additional benefit to a leading factor in marketing who we are and what we do? Can it help us feel more safe and secure in our marketing?
Before security can become part of the marketing message, you must have confidence in your security infrastructure. Once that is confirmed, you have to know who you are talking to and make sure that you achieve the right level of detail. These security concepts explained below are from the point of view of a company selling software to other businesses (like us). Consumers are also interested in the security of their data too, but it may be better explained in a few sentences or a handful of images.
The way we think about data security provides some insight into how to make this idea part of your brand. This is a core value embraced by the whole organization. Security experts can help write blog posts (like this) and even join sales calls, but everyone has to have some understanding of security for it to become a leading component of the company’s marketing.
Confidentiality, integrity and availability form the core of a security program with the goal to reduce overall risk to clients and the company. Provide your salespeople with a basic understanding of these ideas so they can speak to them in the absence of a security expert.
In all cases, a balance must be found between the confidentiality of the data to reduce risk and the convenience of accessing data to perform your role.
Confidentiality means that client’s data will only be accessed as agreed to by clients and only as needed to fulfill your service to them. This becomes the basis for access control and authentication to your systems and data. This is especially true with privileged access, such as administrator accounts with super rights to data and functions. Privileged access should be limited to only those people in roles that have an absolute need for that level of access. Privileged access is always limited, tracked, logged and audited to guarantee the confidentiality of the data.
The right to use the data is also covered by confidentiality. Does the receptionist need the ability to view client data? Not likely. If such data was needed on an occasional basis, rather than give permanent rights to the data, it makes more sense to develop a procedure to request the data with justification as needed. Confidentiality is supported by policies such as the complexity of passwords, how often they must be changed and how many failed login attempts are allowed before lockout. In all cases, a balance must be found between the confidentiality of the data to reduce risk and the convenience of accessing data to perform your role.
Integrity is the commitment to make sure that the data provided by the client stays the same unless it is changed by an authorized user. This concept goes hand-in-hand with confidentiality, so that only those users properly identified and authenticated with proper authority are able to add, change or delete data. This also includes making sure that applications do not unintentionally or unexpectedly alter data. Authorization to view or change data is usually established based on roles or job duties. It is generally best to establish the level of authority to alter data needed by a person based on that person’s role, rather than as an individual. This guarantees consistency and makes managing authorizations easier across a company. Exceptions to this should be reviewed and limited to business-justified deviations.
Availability is the idea that whenever the client or their customers need to access data, that they will be able to do so. We focus here on the resiliency and redundancy of the data and complete infrastructure. We are concerned with the possibility of failures and the impact if such a failure occurs, particularly as it applies to availability. You will often hear availability discussed in terms of how many nines are provided. This measure represents the level of uptime for a system or in other words the amount of downtime allowed before failing a service level agreement (SLA).
The highest level of availability is called five nines. This represents uptime of 99.999%. At that level, only about five minutes of downtime is permissible annually. This is the type SLA that most clients are beginning to expect and we have to work to provide.
Marketing Next Steps
Marketers have the opportunity to change the conversation about security. To do this, we need to start marketing these three core security concepts in simple terms:
We will keep your data confidential, making sure only authorized persons may see it.
We will keep the integrity of your data intact, by making sure only authorized persons can see or change it and only as agreed by you.
We have systems and processes to provide you the availability you need to support your customers and your business.
This really can make a difference in your business, as a large sales deal was recently closed because security was a key selling point. The client specifically called out the positive nature of having one of our security officers involved in the discussions. Take the first step by reaching out to your own security team to understand how you add data security to your marketing message.
Patrick Benoit is the Deputy Chief Information Security Officer for Cheetah Digital. He previously served as an Executive Business Partner for Experian, Client Delivery Executive for Dell Services, and an IT Director after selling his business, a Dallas-based business and technology consulting firm, which he founded in 1992.