The customer cares
Customers regularly see news about privacy and hacking, and they want to know that it’s safe for them to give over their personal data. A lack of trust in an eCommerce site is a leading reason why potential customers abandon their shopping carts. Consumers have no shortage of other options with whom they may share their data and hard-earned salary in a digital economy based on trust and reliability. Organizations must show that they care about data security and that they are taking their privacy responsibilities seriously. Sixty-seven percent of potential U.S. customers say they want more transparency around how their personal data is being used by organizations [KPMG]. With a marketplace dominated by trusted options like Amazon, Jingon/JD.com, Alibaba, and Wayfair, online retailers have to be proactive in demonstrating their security credentials and their compliance with regional data standards. If not, people will take their money elsewhere.
Talking the talk
In today’s data-driven marketplace, it’s important that organizations provide the reassurance of expected security practices – such as the use of HTTPS and recognized eCommerce payment solutions like WorldPay, PayPal, Apple Pay, and Visa Checkout. When customers first visit a site, they should be shown the site’s cookies and data collection policy, which they should be able to reference at any time in accordance with local data collection regulations. Promoting the use of strong passwords and multi-factor authentication to show shoppers how serious you are about security, can also offer a degree of reassurance. As can clear email communications from single channels to avoid (and raise awareness of) phishing scams.
Cybersecurity has now become a topic for positive public relations. It is, or should be, a part of every organization’s environmental, social, and corporate governance (ESG) documentation. It is an ESG “must have” for regulators, standard setters, shareholders, and investors. Promoting cybersecurity and attack readiness in documentation like this makes it accessible to the press and puts it in the public domain.
Many organizations are now publicly wearing their cybersecurity credentials more openly, and their C-suite (notable CISOs) are taking part in thought leadership debate on the subject in other places – in the IT security press, retail press, in conjunction with partners and providers, in conjunction with retail or security bloggers, through podcasts, in lifestyle magazine, via local radio, in national news channels, etc.
Permission from marketing and HR should always be sought before this is undertaken. Marketing and PR will have clear ideas, guidelines, and suggestions for public forums in which to discuss this that work in tandem with other marketing efforts. It is, however, becoming more and more popular as a tactic to bolster cybersecurity credentials and to stand out against competitors. If a potential customer sees a quote like: ACME Corporation Chief Information Security Office says, “Our customers’ security is our priority” in a news article about the rise in account takeover (ATO) and digital fraud, that will resonate with them, build relationships with your prospects, and put you front-of-mind by raising your organization’s authority. Being there to give expert commentary in times of crisis, such as the rise in cybercrime due to the conflict in Ukraine, is a sympathetic way to reassure your prospects and to offer genuine value as part of the global conversation.
An organization’s marketing department may also be able to provide or suggest media training – something that doesn’t traditionally fall under the remit of the CISO. This can be invaluable and helps people to be ready for cross-questioning, clearly conveying key messages and policies, and talking in a succinct and relevant way suitable for PR purposes. Often nowadays, this will also cover how to conduct yourself on social channels and online.
We work with many of our partners and customers in this way, who provide us with case studies, join in our cybersecurity webinars, and are very much a part of our client-facing Imperva family.
Walking the walk
It’s not enough for an organization to say they are secure; they have to be secure. Even now, 10 years on, the Ashley Madison brand (which was originally built on anonymity and privacy) is still associated with one particular data breach. Living up to a data-centric security promise is critical. Not doing so can be doubly catastrophic for public relations and can break consumer trust and a brand’s name forever.
Organizations need to “put their money where their mouth is” and maintain full control and visibility over all the customer data they gather, regardless of where it lives and whether structured, unstructured, or semi-structured. It’s one thing to say that our customers’ data is protected, but organizations – especially those who rely on data sharing, such as financial institutions, eCommerce, or healthcare – must have outstanding data governance, activity monitoring, and auditing capabilities, to maintain a solid public relations and data security record.
Making it personal
In the eCommerce security teams of the future, CISOs will need to be prepared for more of a life in the public eye. Those who already have a voice, and an audience, who already blog, tweet, create content for the likes of YouTube or LinkedIn, and talk about their chosen profession and data protection standards, will be a stand-out commodity. We already live in a world where building a strong personal brand builds stakeholder trust, and all our peers have to do is Google our names to get insight into our professional reputations, hobbies, career history, and more.
Don’t be shy about taking part, but know your boundaries. As the saying goes, “What happens in Vegas stays on YouTube.” You can be the sort of CISO who shares exquisite pictures of server wiring, heralds team achievements, and retweets thought-provoking and valuable IT security articles – though, do you really want to share pictures of your kid’s first day back at school or cybersecurity memes? (Hey, maybe you do?!) Just consider who might be watching, and the impression you want to give, before you press “send”.
A final word on trust
Organizations need to keep in mind their public-facing persona and how their customers see them. More so each year, cybersecurity is now an important part of that PR mix. Organizations need to show they care about digital safety and their customer’s data, and talk about this accordingly, as well as doing the work to make sure their customer data is genuinely protected.
If you are a CISO in an eCommerce organization, speak with your marketing department. They’ll be talking to you soon enough, especially when it’s time for your yearly ESG. Ask how your team can help to strengthen your brand security credentials and what resources are available to you to help create content around the topics of trust, security, and reassuring your potential customers that their data privacy concerns are being taken seriously.
Try Imperva for Free
Protect your business for 30 days on Imperva.