Is Your Data Security Worthy of Your Crown Jewels?

Data critical to the success or survival of your organization, data with value, are its crown jewels. Think intellectual property, customer lists, or financial information. For a long time now, data has been considered the world’s most valuable commodity, worth more than gold or oil. The misuse, theft, or corruption of critical data can cripple operations, destroy brand reputation, and dramatically reduce shareholder value.

To protect this data, most organizations think of “locking up the crown jewels”. So they do the digital equivalent of sticking it in a vault and throwing away the key. The problem is that data mostly generates value when actively used: Accessed, modified, or shared with customers and collaborators. 

In other words, it is not enough to just protect the storage of your data. Your data needs to be sent only from and to trusted identities, and protected as it moves from point A to point B, and from person C to person D. Always via channels you know are secure, right across your data supply chain.

Otherwise, and at the risk of stretching the metaphor, you might have an impenetrable vault. But the crown jewels inside are constantly being passed from hand to hand in the open air. 

Data Compliance Does Not Equal Data Security

There is an ongoing debate about the kind of digital security solutions most suitable for protecting different data types. Regulators have waded into the fray, with increasingly prescriptive requirements for handling certain data genres. From the General Data Protection Regulations and NIS2 to DORA and numerous other sector-specific regulations, organizations are required to establish robust controls and measures. All aimed at helping them withstand and respond to threats and disruptions.

Compliance, rightly, is top of mind for the C-suite. There are harsh fines for organizations that fail to demonstrate a compliant level of personal data protection. Under the upcoming NIS2 regulation, general board members can also be fined for non-compliant interactions with critical infrastructure. And there are commercial benefits for organizations that achieve the international gold-standard ISO 27001 certification. 

Sometimes, though, compliance is not just at the top of the agenda; it becomes the agenda. That can force a single-minded focus on keeping the “outer walls” around your data secure. But this approach fails to consider the data itself, as it moves within and outside your business, often in complex and varying ways. Remember, data mostly has value when it is being actively used. So, if your processes are old-fashioned, friction-filled, or insufficiently armored, then you might be compliant, yes. But the process itself becomes your weak point.

Don’t forget about your background or stored data and information flows, either: Even old information can be valuable for hackers.  

What is Digital Trust in the Data Supply Chain?

Let us pause for a second and think about a supply chain: The image of a factory receiving raw materials may spring to mind. In this example, there is the delivery of inputs for the production of goods, then a pipeline process that takes the factory through production, quality assurance, packaging, and distribution, until the product ends up in the hands of consumers.

Every customer flow in your business has a similar supply chain. It involves flows of people (customers, employees, and/or external stakeholders coming in and out at certain steps in the workflow), activities (data collection, verification, sharing, storage, tracing), resources (software and hardware), and information (data at rest or in motion).

These are all-encompassing processes, stretching right to the end users of private or public goods and services. And customers who experience friction at any stage of your processes may choose to go elsewhere.

For that reason, organizations need to focus on digital resilience: Protecting your customer flows and the valuable data within them. Your organization may also face serious risks if you aren’t aware of:

• Where the information that flows into your processes comes from (even if it is several steps removed from where you are)
• Who information is shared with, at what point in the process, and for how long
• Whether data has been or could be altered between steps
• That step A in the process has been dealt with correctly before you move on to step B
• That all people are who they say they are, and their activity is appropriate for the step in question

If you cannot answer all the above then you cannot safeguard your environment. Nor can you ensure that the data’s value is being fully leveraged to benefit your customers and your organization.

To illustrate this using a different context, it would be like a clinic ensuring all staff are certified, but prescribing medication without verifying the patient’s full medical history. Or the pharmacy down the street handing out prescription drugs to anyone who walks in.

Neither patients nor medical professionals would trust this system. Your organization and end users shouldn’t either. 

The Rise of Digital Resilience

Where this is leading is the need for companies to focus on digital resilience, through risk management in their customer flows. This risk management approach can be divided into three key elements: Financial, commercial, and trust.

From there, organizations need to consider two sides of the coin when protecting their data crown jewels:

• Security: What data or process step is vulnerable to attack? What happens if a process step is not available for 24 hours? What scenarios might unfold (including worst-case outcomes) should a process, or any part of it, fall apart?
• Quality: What are the strategic risks (and opportunities) inherent in your processes? How can you be a business enabler to improve these processes? And how can security and digital trust principles play a role in that?

Within this context of building digital resilience, it is productive to move away from a narrow focus on security to a broader focus on trust. The word “security” has negative connotations: It implies restrictions, lockdowns, defensive barriers, and attacks. On the other hand, “trust” invokes a feeling of confidence, reliability, and transparency in your business processes.

It is the mindset of looking at security more commercially. Not just investing in data security, but creating a competitive advantage where customers choose you over a competitor because your process is easy, fast, and enjoyable for them. And, above all, it is secure.

Transforming Security into Competitive Advantage

In theory, this should make sense to those in the C-suite who speak in business cases. In practice, however, investment in digital security is not usually seen as a business enabler. And the issue that CISOs pitching these enhancements rub up against is cost.

Within security departments, the cost-benefit impact is mainly measured on a “predict, prevent, detect, respond” basis; in other words, on a compliance basis. No one measures the strategic benefits of improving customer processes. Or considers how integral trust-building experiences are to your organization’s overarching business goals.

So how can we bridge the business-security divide and help your organization build a more effective digital trust strategy? The following steps are a good place to start:

#1: Think trust first, security second

Digital trust and security are not standalone concepts. Trust is security, it requires considering the confidentiality, integrity, and availability of data. If you can’t trust the information, then it’s not secure. Simple as that.

What needs to change is the order of thinking. Organizations need to put trust first (i.e., the process), and then consider the security measures that will enable that trust. So the thought process may look something like this:

• What are our most important customer flows?
• To what degree do we need to protect them? (It will not be 100% for every step)
• What does an optimized-for-trust process look like?
  • For example, do redundant steps or those that breach the organization’s risk tolerance need to be removed? 
  • Could information be shared better? 
  • Could identity verification be done earlier? 
  • Where can speed be added, duplication avoided, etc.?
• What security measures can enable that optimized process?
  • Secure digital identities, digital certificate management, blockchain, encryption, or an alternative?

Slotted together as part of a wider picture, these details can give a powerful and nuanced understanding of the commercial value-add of more trusted customer experiences. While still taking care of the fundamentals, of course.

#2: Talk the language of the board

The C-suite doesn’t speak IT. They speak business. The minutiae of technical details is overload for a CEO who is focused more on risk assessment, and the business impact of investing in process improvement and digital trust.

One strategy is to frame your case in the language of contracts. A solid contract helps two parties communicate and do business in the most trustful manner possible. It reduces risk, gives visibility into the actions of the parties, protects confidentiality, and ensures both parties can do their jobs without outside interference.

This is a powerful analogy for CISOs to use when selling the idea of investing in digital trust services. Everything that makes up a solid contract should also make up a digital trust platform—what you’re communicating are the benefits of having guardrails for safe and easy communication.

#3: Work with a trust services partner

Creating trust services that aim higher than current digital security requires outside voices. Every organization should have discussions with experts to drill deep into their primary processes. And ensure that digital trust is embedded in the right processes, in the right way.

As a team of digital trust experts, AET Europe helps clients in all sectors, from healthcare to government and from enterprise to finance, to build trust in their customer workflows. And, in doing so, to improve their processes.

For example, AET Europe created a system that allows paramedics to scan a patient’s ID on their cell phone and access their medical records. This can mean the difference between life and death in an emergency. The system is built on a chain of digital identities and certificates that give absolute confidence that the paramedic and patient are both who they say they are. And that the information being shared is updated, accurate, and secure.

Previously, paramedics had to rely on the patient answering questions about their medical history and medications. But this could be unreliable if, for example, the patient was in shock. Working with incomplete information meant time was wasted on trial and error, and poor clinical decisions could be made. Here, you can instantly see the process improvement and risk reduction that AET Europe’s solution offers.

Your sector and organization may deal with very different data needs, in very different scenarios. Regardless, pioneers at the C-level have an opportunity to evolve the perceived role of the information security department from a “cost center” to a “business enabler”. 

Make room to zoom beyond compliance—with the guidance of an expert partner. And help your organization grow, by providing trusted digital experiences that delight customers while protecting those crown jewels.