Security in digital products and services is no longer just about protecting you from risk. As I discussed in my previous article, secure solutions that respond to the concerns of a customer base can be a powerful and differentiating business asset. But in the real world, of course, threats change and evolve – and competitors have a habit of catching up.

Your safest bet for a competitive edge.

Customers also complicate the picture. Their needs change too. Computer Weekly reported on a survey that suggested consumer concerns about cybercrime have dropped 10% since COVID, despite such crime actually increasing during this difficult period. The context here is that consumers are more worried about their health right now than security risks. And customers have been buying less too, so maybe that’s why security is lower on their list of worries.  

This begs the question of whether you should worry less about security in the products and services you provide to them. The obvious answer – no – is an easy conclusion to come to, of course. So, let’s add some layers of detail and look at the bigger picture to confirm why that instinct is correct. 

How should we respond to the changing world? 

I suggest we should start with four key things: 

  1. Keep an eye on the threat and what that means to your products and services. A product sold five years ago can still be at threat to your brand if it hits the headlines 

  1. Keep an eye on the competition – life moves very quickly in the digital space and customers can be very fickle. Just think about how often people switch social media tools, for example 

  1. Ensure your products and services can be updated for the duration of their life. Design this in from the start  

  1. Think carefully about what your customers are thinking about, what you need to tell them, as well as how and when. Consider how their concerns may be changing in response to events such as those discussed above, or simply as they become more aware of security and the art of the possible 

The good news is that businesses do recognise that they need to do something. A recent publication from Forbes Insights, ‘Enterprises Slowly Embrace Cybersecurity Challenges’, shows that executives across EMEA recognise that more needs to be done in their businesses. Indeed, 80% of executives surveyed flagged a need for less outdated solutions, as they recognise threats have changed. This is echoed by the findings of the latest UK government survey on cyber breaches, some of the key findings of which are shown in the infographic here. 

Keeping an eye on the threat 

I talked briefly about the risk-based approach to designing security solutions in my previous article. That process is based on a good understanding of the threat – the risk. So, when that threat changes we need to return to our risk assessment and our view of risk. We need to understand our current risk appetite and how it varies across our product portfolio. We might be willing to take a bigger risk on a product nearing the end of its life than we would on a new one, that all depends of course on the impact it might have on our business.  

Keeping an eye on the competition  

Many elements of the process for looking at new opportunities that I described last time, apply equally to the scenario when the competitive landscape changes. Research is fundamental to any product feature – including one based on security. Competitors will inevitably start to encroach into your space, so it is vital to maintain your market research and landscaping to stay one step ahead. What the customer wants and expects from your offering today will not be the same in five years’ time. In the digital world it can change in a matter of months as new disruptors enter the market. 

Designing in the ability to update to keep pace with the threat 

The key here is to ensure that the security architecture and the solutions themselves are able to keep pace. We need a mechanism for updates, which itself can mean adding a level of connectivity that in turn becomes a method of attack. So, this needs to be done with care. The upside is that it’s an opportunity to regularly connect with your customers, which can be a great marketing avenue, of course. It demonstrates you care about their security and provides an opportunity to offer additional services.  

In short, getting the foundations of the updates link right means you stay on top of threats and open up a valuable channel for customer communications and marketing. And always remember: for a product or service to survive in today’s digital world, it must be easily updatable – and it is best to build this capability in from the start. 

Thinking about what our customers’ view of risk is 

In my last article I introduced ‘explainable security’, the concept that we need to explain to customers how the product works in terms of security. We need to do this to convince them that our product is better than the competition. 

The concept can also be used to ensure that whatever solution is designed can explain the users’ role in delivering security. I’ve already discussed the ways in which customers’ views can change over time. This is important from both perspectives of explainable security – either to convince them to invest in the new product, or to ensure they still do their bit in maintaining the security of the product, even when their views of risk change and it becomes less important to them. 

Are we doing enough? 

Having reflected on what we should do, it’s now time to think about whether we are doing enough. As the infographic suggests, the answer is probably no. There is more we should do.  

Protecting systems, data & users through the science of security

I don’t intend to be critical here. It is difficult, but there are some concrete steps that can be taken to help.   A robust process will keep you on top of risks and opportunities both now and in the future. Most systematic, top-down approaches to assessing cyber security investment start by asking for a view on risk appetite. That’s perfectly logical in principle. If you are willing to live with higher risks, then you need to do less to reduce them. It’s what the board of every company does with a thousand different risks every day.  

The practical issue with cyber security is that the risks are new and moving quickly. There aren’t the same decades of experience and understanding that are used to characterise other strategic risks. It becomes hard to provide a realistic assessment of risk that you can measure your appetite against. It’s easy to build the wrong solution on a faulty basic assumption. 

Doing things bottom-up is simpler in many ways. Taking a risk assessment-type approach is relatively simple for one element of a digital system but gets harder for a digital end-to-end full stack service. Take a smartwatch as an example. It connects to a phone that has multiple apps that talk to multiple cloud-based services, many of which are linked to payment systems and banks. It may also link to medical records, monitor your health, life insurance and so on.  

For an insurance business launching a digital health-based service, the security risks and consequences are much more complicated than those of the watch provider. It may worry about the watch being a route to the system being hacked, whilst the watch provider is only concerned that the watch still carries out its main function.     

Every new piece of technology, each new recruit, each tweak to a security management plan can be much more easily judged in isolation as to whether it will improve matters. The drawback is that it becomes impossible to know what each element is worth to the overall scheme and to make sense of the patchwork that is gradually assembled.  Perhaps these challenges are why, according to the UK government Department for Digital, Culture, Media & Sport annual survey, only 32% of business in the UK undertake risk assessment, despite 78% of them saying they think cyber security is a high priority. 

So what next? 

We have found that there is no one size that fits all. Resolving all the considerations we’ve been talking about can be as complicated as the digital security technical solutions themselves. It’s a tough problem that requires an intimate understanding of the business concerned and how it operates, while considering people, process and technology. This needs to be allied to robust technical understanding of the realities of potential cyber security threats and mitigations.  

Want to learn more? 

The ideal is to build a quantified model of the business so that the value preserved or created by an investment in any given technology can be compared to the cost of that technology. This is what we do at Cambridge Consultants. We are rather unique in having the deep technical experts who develop new security technology for our clients. Drawing upon this expertise we can offer real insight to the top-level design of the security architecture. We do this alongside our work to deliver product and service designs to enable our clients to disrupt the markets. Drop me an email  if you would like to discuss this or any of the concepts I have outlined here. 

 

Author
Mark Dorn
Associate Director

Mark has worked extensively in the defence, security, transport, industrial and space sectors. He has 30 years of experience in providing technology advice across the product and service life cycle. In digital security, he helps clients understand business threats and their risk appetite, balanced with the cost of mitigation.