Positioning security as a stakeholder value proposition
By Patrick Kehoe, Chief Marketing Officer at Coalfire
With breaches and shutdowns making daily headlines, no one wants to do business anymore with companies that can’t assure buyers that they’re on top of their security programs from supply chain to point of sale. As a result, cyber risk exposure has become a dominant factor in customer purchasing decisions. And now, with COVID and the cloud, enterprise risk posture has become a critical factor for investors.
For equity shareholders, venture firms, acquirers, and merger candidates – and a growing constituency of external stakeholders and internal employee stock option programs – a company’s security and compliance credentials are becoming just as important as its financial statements.
SEC Changes the Game
It’s human nature to hide flaws and imperfections, but daily headlines blaring the latest breach have inspired the Securities and Exchange Commission to turn that instinct upside down with new disclosure requirements. A proposed SEC ruling will force public companies to disclose material security incidents within four days. “Material” means anything that could impact a company’s stock price – which is nearly impossible to determine that fast. This implies legally actionable consequences based on far more uncertain criteria than the conventional governance and compliance standards that security managers are used to dealing with.
If this proposal becomes law, it will eclipse the historical impact of the Sarbanes-Oxley Act 20 years ago, which was implemented by Congress in reaction to corporate accounting scandals. When public companies adopt this new level of reporting, it will inevitably trickle down into the greater private sector, forcing the hand of corporate communications and investor relations teams to engage immediately with constituents, especially investors.
The Path to Cyber Investor Confidence
There’s a lot of work to be done to refocus marketing on cyber with a strategy of ultra-transparency! In a recent Forrester survey, security decision-makers ranked investors last on their list of stakeholders to receive cyber performance reporting. In stark contrast, investors surveyed by RBC Global Asset Management identified security as one of their most important governance issues.
In this significant change management moment, marketing teams, legal, and investor relations professionals must adopt a new discipline: integrate cyber assurance into customer and investor communications. Here are the top-five enterprise strategies to help close the gap between security posture and market confidence:
- Establish an investor relation cyber program
- Build and leverage a corporate Trust Center that is featured prominently on your company’s website and within investor communications. The Trust Center should showcase risk management priorities, security policies, privacy assurance practices, and compliance information across all divisions and product lines.
- Within the Trust Center, use compliance frameworks as your “seals of approval.” These provide proof points that connect security posture with operational resilience and brand trust.
- Link security posture to performance metrics
- Provide visibility to investors through presentations and regular financial reporting that validates management’s intentions and demonstrates your cyber program’s effectiveness. Investors value quantitative, objective metrics regarding cybersecurity performance and outcomes, always in context with policies, controls, governance, and procedures.
- Convey your risk philosophy.
- We can’t eliminate risk, so we rely instead on experience and intuition that inform a strategic hierarchy of vulnerabilities and philosophies that drive remediation strategies.
- Convey a pragmatic strategy that identifies the company’s unique threat landscape and what types of attacks it’s likely to face.
- Make sure to communicate what factors can be controlled, what risks the company is willing to take, and how those decisions are made.
- Incorporate the supply chain
- Leverage a multi-pronged communication approach
- Prepare PR, IR, and legal teams to move with every incident. Collaborate using the Trust Center to develop a “damage report” process that makes sense of breaches when they happen and communicates remediation strategy in real-time.
- Integrate security posture into periodic financial reporting. After one of history’s worst identity thefts in 2017, Equifax bounced back with a corporate overhaul, including an annual report that specifically communicates and elevates security as an investor value proposition.
- Confirm to the board of directors that security costs for tools and controls can translate into platform-enabled, seamless systems that deliver better financial performance.
- Integrate Trust Center content into sales team materials and communications. If presenting the company for acquisition or future financing, incorporate security culture and updates into your pitch deck.
Circle of Trust
All stakeholders want confidence in their relationships and within their spheres of influence. No one wants to buy from or do business with companies they can’t rely on. No one can afford to buy and hold the assets of a company – or allow that company to acquire or merge with another – without an enhanced level of trust in today’s cloud-exposed environments.
Management must re-calibrate security and trust as bedrock business principles and prioritize transparency and cyber integrity throughout all enterprise communications.
About the Author
Patrick Kehoe is Chief Marketing Officer at Coalfire. He has over twenty-five years of experience working with software, hardware, and service providers in High Tech and cybersecurity markets, where he has successfully built and deployed growth strategies and innovative marketing approaches. Prior to joining Coalfire, Mr. Kehoe served as Chief Marketing Officer for Arxan, where he and the team analyzed application security vulnerabilities and deployed solutions to protect applications. Previously, he held leadership positions at Siemens Enterprise Communications (now Unify), a global provider of communications software and services, where he was responsible for North American marketing and partner business, and he oversaw the development of the strategic plan and drove market awareness and pipeline generation. Prior to his work at Siemens, Mr. Kehoe spent nearly 20 years with Booz Allen Hamilton and MarketBridge, a sales and marketing professional services firm, providing business and IT strategy consulting services.
Mr. Kehoe has a track record of success in the Americas, Europe, and Asia, and has spoken at conferences and corporate events on a variety of sales and marketing topics. He holds a degree in Computer Science from Vanderbilt University and an MBA from the Darden Graduate School of Business, University of Virginia.