I just finished working on a cybersecurity policy for a relatively small dental practice in a large midwestern city. The practice’s IT consultant with whom I was working was pleased with the results and said that this Practice was now “miles ahead of the other dental practices” in terms of its cybersecurity posture. That many of the Practice’s competitors had “one or two” pieces of paper to describe their cybersecurity posture which he said was “one or two pages longer than it needed to be” to describe the security they actually had in place.
I guess we shouldn’t be surprised. Despite the headlines about data breaches or regulatory fines or lost revenue, cybersecurity for many firms remains an abstraction. And when you are focused every day on real issues with customers, patients and staff, abstractions come last.
The way to encourage businesses to focus on either risk or opportunity is to make the abstraction real and to provide an game plan which brings value to all who are involved.
Making It Real
In order to “make it real” for the business, you need three things: 1) a compelling (and simply told) story with characters in the story similar to audience; 2) a financial picture of the situation; 3) a happy ending. Cybersecurity tells a lot of stories, almost all of which are fear-based. That’s engaging to a point, put often the fear doesn’t seem relevant and it is out of context with the situation. It’s scary to think Equifax can be breached and 147 million records were exposed, but what does that have to do with my Dental Practice? If you tell me a story about a ransomware attack on a dental practice which cost the business $500,000 and that I have a 10% chance of experience a $20,000 ransomware loss and a 90% chance of a $1,000,000 loss, I have something to understand. Then if you tell me that if a do A, B and C I can reduce my probabilities better than half, I see a happy ending.
Someone once told me that the way they view cybersecurity regulation is like a law which states that if a thief breaks into a house and steals stuff, the homeowner is arrested. Cybersecurity has been framed as a protection against the financial impact a business incurs when bad guys do something to us. That creates a friction in our mind and pushes us against wanting to invest in something to protect against something that we wouldn’t do ourselves.
Instead, cybersecurity should really be framed in terms of reputation and brand. It’s part of the care and service that you bring to your customer, the respect that you have for them and the trust you want them to have in you. Reputational value is a combination of a lot of factors, but in today’s digital age, data privacy is a true (and marketable) benefit.
Telling stories which financial relevance which show the true value of cybersecurity to all stakeholders is difficult. But if we want to make inroads to cyber protection, we will need to do so.