Security is a problem, right? A risk to your business, a risk to your trade secrets, a risk to your personal information and that of your customers. That’s certainly all true of course; but there is a radically different way to view it – as a positive force capable of putting clear water between you and your competitors. You can be first to market with a secure product or service and then promote it effectively to customers who are worried about security. The secret to achieving this is to build it in from the start and aim high.
Protecting systems, data & users through the science of security.
Let’s begin with a safety analogy to illustrate my point. Anyone old enough to remember the 1970s and 80s will recall spiralling concerns over fatal car accidents. The global automotive industry responded with air bags, pre-tensioned seat belts, new crash tests and much more besides. Indeed, I was part of the response to this, conducting research into the performance of child car seats. Volvo turned these worries into competitive advantage – remember their crash test dummies? – and became the car of choice for the safety conscious. Renault were hot on the heels of Volvo and became early winners in the embryonic EuroNCAP testing regime.
Nudging the accelerator to the present day, we expect the autonomy of driver aids and self-driving to help us enjoy safer journeys. And interestingly, this safety focus is starting to merge with security in the minds of consumers. Some are even beginning to base their vehicle selection on their perception of its security. Right now, the issue is largely centred on the theft of keyless entry cars. The industry is acutely aware of the problem and is looking for solutions.
The big picture challenge is the creation of an interconnected ecosystem of cars that talk to each other and the world around them. What’s more, they need to talk to your mobile phone, your home, your repair shop, the local weather station and the manufacturer that is providing updates. Effectively, it’s a huge, interconnected web of systems, each with potential vulnerabilities to be exploited.
But we don’t need to pause at cars. The whole world is becoming endlessly connected. From the watches on our wrists to the systems in our factories that heighten the quality of production and the effectiveness of supply chains. The Internet of Things is here. Connections are being made wirelessly using mobile signals, Bluetooth, new clusters of hundreds of satellites – and let’s not forget the internet! This is enabling a better world for us all to live in.
We’re excited about the connectivity, but our customers are becoming increasingly concerned about security. Three years ago, a PwC report revealed that 85% of those surveyed would not to business with a company if they had security concerns. More recently in a digital survey commissioned by Ekata, 92% of consumers highlighted security as a key issue, alongside speed of transactions. Further, a 2019 Ipsos Mori poll states that 85% will not do business with company if they have security concerns and 65% of people are concerned with connected device data collection.
The question is, are we thinking enough about security? And when we do, are we simply getting it all wrong? The news is full of data breaches, hacked smart devices in homes and even product recalls of children’s smart watches. We need to change our mindsets and make security an asset.
Opportunity from connectivity challenges
It is vital to look beyond the problems and start imagining how digital security can enable your business to thrive, to be better, to do new things. The question is how. A good place to begin is establishing what to aim for. And essentially, you should be aiming to make a security a benefit. Like any product feature then, you need to do your research. What competitive products or services are out there? Where is the niche in the market that is unexploited? Where can you differentiate and so leap ahead?
To answer these questions, I find that techniques like market landscaping help. In these approaches, you look at the market now and where it is heading. What does the future consumer of your product want in five- or ten-years’ time? Through this lens you can identify the opportunities that will help you lead a market. Once you have identified the gap, you need to work out whether you can fill it. And here’s where security technologists come in. They can help identify what you can build into the service to take market leadership – and ensure you remain ahead of the security game for its lifetime.
Explaining security effectively
Now I need to turn to the concept of ‘explainable security’. It’s relatively new, it hasn’t got much further than academic papers yet, but it’s a vital thread in my argument. In the context of what I’ve been discussing, one important aspect of the concept is this: “It’s no good having the best, most secure system, if you can’t convince your customer base that it’s better than the competition. You need to be able to explain to your customer how your system is secure and why it’s better than other options on the market.”
This is perhaps why studies show that although consumers are willing to pay extra for security, the amount they will pay isn’t related to the level of risk (Blythe et al 2020). Perhaps this means security benefits have not been explained well enough for them to pay more – although they do appreciate that they should pay something?
The nature of the explanation that is required may differ of course. Some users will want to gain trust in a system through detailed explanations of its inner workings. Others may simply want confidence in the system, which might be gained through third party certification, compelling marketing messaging or the reassurance of safety in numbers.
An example of this is revealed in a PwC report on the Sharing Economy, which is of course built on a digital services backbone. PwC reported that 67% of people would not trust Sharing Economy companies until they were recommended by someone they trust. It isn’t clear whether this is just about safety in numbers or because they don’t understand the concept or how they are protected. But what is clear from the report is that if you want rapid adoption at the start, you will need to get over this hurdle without relying on recommendations.
So now we have a framework for assessing which of the product or service ideas you have might be the one to invest in:
There’s a market opportunity of a certain size
You can meet it with better security
You can explain that security solution easily to my customers
The next step is to develop the security solution itself. And to get that right, you need to think about the threat – specifically the bad guys who might attack the product or service. You need to think about the threat vectors with the potential for high impact, or where they can attack, and maybe consider the unwitting user who might break it by accident. You also need to weigh up how likely it is to happen and what the consequence is if it does.
Sound familiar? Well yes, it’s a standard risk assessment process and it is at the heart of security engineering. But where many go wrong here, is with assumptions about likelihood. It is very easy to assume something is unlikely if you don’t know anything about how it might happen. Overcoming this problem takes deep expertise and experience.
Ideas that enable new possibilities
Security solutions will of course vary because the challenges are different for every business. You might be primarily intent on protecting against cyberattack, or protecting sensitive data, or wanting to trust sensitive data… the list goes on. But here are a few buzz phrases that illustrate how security ideas and technology can enable new possibilities.
Security architecture is at the heart if every solution. It’s the process that helps define an appropriate security model while incorporating a host of other factors, such as risk analysis, requirements analysis and systems engineering. When done well, it can enable great security that can be updated throughout the lifetime of the product or service as risks change. But it cannot be an afterthought, it has to be the absolute core of the solution.
Homomorphic encryption is an exciting proposition because data doesn’t need to be unencrypted to be processed. This means that you can keep sensitive data scrambled, but still analyse it. New services, that otherwise would have been unthinkable because of the need to process personal or financial data, become possible.
Solutions to enable trust can ensure that the product your customer uses is the real thing, assuring them that they don’t have a product that uses counterfeit parts. These can be solutions like blockchain, banknote-type holograms or even testing systems that visibly demonstrate to the customer at point of purchase that the printer ink, medicine or car part is authentic.
Fundamentally, my most important point is this: it is perfectly possible to make security a valuable asset to your business. It can enable new commercial activities distinct from your competitors and is very likely to be increasingly seen as a differentiator by cyber savvy customers. In the coming weeks I’ll be following up this article with a look at what comes next. What happens in the real world as life changes? I’ll explore the best ways to evolve your asset when threats change, and your competition catches up.
Cambridge Consultants has plenty of experience when it comes to helping companies upgrade security to a tangible business asset. We understand not just the concepts, but the ways to make things happen in the real world. Get in touch if you’d like to talk about how security could give an edge to your business.
85% claim they will not do business with company if they have security concerns - PwC survey, 2017
77% say security/privacy buying factor - Ipsos Mori poll, 2019
65% of consumers concerned with connected device data collection - Ipsos Mori poll, 2019
92% of consumers highlight security as a key issue - Ekata commissioned consumer digital services survey
There will be 25 billion Internet of Things (IoT) devices connecting the world by 2021, Gartner research
74% would pay more for a product with additional security built in - Microsoft reports.
67% of people would not trust a Sharing Economy company unless a friend recommends it - PwC survey