We’re currently in the middle of a trust crisis, and it’s costing organizations billions of dollars every year.
Companies aren’t in the business of selling products anymore—they’re selling trust. That might sound controversial but think about it for a moment. People today consume more products digitally than ever before. In doing so, they expose themselves to a host of security and privacy risks that never existed in an analog world.
And no, these risks aren’t the cost of doing business. The fact is, many companies have already implemented security best practices across the product development lifecycle. They’ve put in the time and effort because it’s the right thing to do for their customers. But it’s also an essential first step to proving compliance with any number of regulations and security standards.
By the way, there’s only one way for a business to prove its trustworthiness, and that’s by getting a security attestation or certification from a third-party auditor that says you’re safe to work with. In the B2B world, most enterprises won’t even work with you unless you’ve got one.
Trustworthiness is fast becoming a key consideration during product and vendor evaluation, regardless of the industry. And this trend is only increasing, as digital becomes more ubiquitous, along with the inherent risks associated with it.
Product leaders can anticipate these new market realities—and they don’t need a crystal ball to do it. All it takes is a security-driven approach to product design, which we’ll cover below in more detail.
Understand the Regulatory Landscape
We’re not suggesting that you learn the ins and outs of every security and privacy regulation in existence. That would be cruel.
However, knowing which regulations you’ll need to adhere to, either now or at some point in the future, is critical. For instance, if you’re doing business in Europe, you need to factor the General Data Protection Regulation (GDPR) into how you’re building and delivering your products. In California, there’s the recent California Consumer Protection Act (CCPA) to keep in mind. These are a couple of examples of regional regulations. There are many that cover what kind of data you’ll be collecting and using. For example, for medical data, you have to consider the Health Insurance Portability and Accountability Act (HIPAA) and for payments, there’s Payment Card Industry (PCI).
Obviously, these are just a few examples of regulations that are in place right now. The regulatory landscape is constantly changing and that will certainly remain true in the future. This can make it difficult to stay one step ahead of the game and anticipate what might come next.
That’s why it’s always good to align with your security team. They know their stuff. If you don’t have one, security assurance experts can provide you with the necessary context.
Know Your Security Frameworks
Again, no need to do a deep dive into every security framework, although it does help to have a rudimentary understanding of the big ones, like SOC 2 and ISO 27001.
If you have customers with stringent security requirements (and most of us do these days), you should know exactly what they are and understand how they’ll impact your development lifecycle and go-to-market. That way, you can begin designing and operationalizing the right security controls across your team, like multi-factor authorization for any tools you might use for single-sign on.
By keeping the lines of communication open with sales, you’ll get a sense of how the marketplace is shifting. It’s important to remember that security isn’t something you can simply set and forget. It’s constantly evolving. Feedback from customers is also critical, as it’ll keep you in lockstep with their changing security needs.
Having a broad understanding of the regulatory landscape and relevant compliance frameworks ensures that security is always scoped into your development process. This methodology should also help you stay proactive, even as the landscape evolves.
Sell Security as a Benefit
You might be asking yourself: “What exactly does selling security as a benefit have to do with security-driven product design?”
It’s a good question.
If you’ve followed the advice above, security should already be on your product roadmap. This is important. It means you’re ensuring that it’ll be a function of your product. That’s a benefit and a market differentiator. It’s something you need to be communicating internally. It’s also something your organization needs to be communicating in the marketplace.
We already mentioned that companies today are selling trust. You can’t sell trust unless customers can count on you to keep them safe when they’re engaging with your products. And if you can provide that assurance, then you’ve demonstrated you are trustworthy.
It begins with socializing the idea that security has implicit value beyond risk mitigation and convincing your team that it will matter to your customers. Once you’ve done that, it’s time to prove compliance, and that means getting an audit. Only then can you start selling trust.