https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

McKinsey Q&A: How Protecting Consumer Data Can Pay Dividends

Technologies ranging from the connected home to the smartphone are generating an explosion of consumer data. 
  • Written by Brian Buntz
  • 13th December 2019

Can retailers and consumer-facing companies optimize for cybersecurity and user privacy while also enabling customization at scale? The answer to that question is “yes,” according to a recent McKinsey article. 

The subject of cybersecurity has steadily become a higher priority for enterprise organizations, thanks to a steady uptick in reputation-damaging cyberattacks in recent years. Traditionally, many organizations struggled to quantify the potential return on investment in privacy and cybersecurity initiatives. But legislation ranging from GDPR to the California Consumer Privacy Act has changed that. “Suddenly, there’s a dollar value attached to non-compliance,” said Marc Sorel, an expert associate partner for McKinsey. 

The proliferation of the connected home and consumer-facing IoT technologies, taken with consumers’ variable privacy threshold, further complicate matters. But in general, the more consumer data organizations collect, the higher the potential cost for missteps — in terms of reputation and possible fines. Organizations that emerge as security and privacy leaders tangibly decrease their business risk while potentially boosting consumer loyalty. 

In the following Q&A, Sorel shares why leading retailers and organizations with consumer brands can see their privacy and cybersecurity initiatives having a positive impact on their bottom line. 

What are some examples of how companies that have prioritized cybersecurity and user-privacy can see financial benefits? 

Sorel: There are real legal as well as financial benefits for the company that can flow to the bottom line and have a material impact on value creation. For instance, organizations with proven cyber hygiene can have constructive discussions with their cyber insurers about reducing their cyber insurance premiums. 

An organization that has, for example, a more secure geospatial mapping application can be a real differentiator with a customer base that is quite concerned about the integrity of the data that you’re collecting and using. Geospatial mapping data is also of great interest to nation-states and most sophisticated attackers. So, in short, I would say cybersecurity and privacy can be sources of differentiation and that there are many ways they can be sources of differentiation, whether it’s reputation, operational, legal or financial.

How much is legislation such as GDPR and CCPA a driver of this idea to see cybersecurity and privacy as a source of competitive different?

Sorel: I think legislation is a major tail wind for the overall trend around viewing cybersecurity and privacy as increasingly not just the headline-grabbing source of concern but a source of differentiation for the business.

Running afoul of GDPR, at its worst, is 4% of global annual corporate revenues for the enterprise violating the law. And similarly, every state in the United States has a breach notification law, which means, if you are breached within a certain period, you have to report that to the breach notification authority in the state, or else risk facing a fine or worse. And then on top of that, there’s the New York State Department of Financial Service Cybersecurity Regulation [23 NYCRR 500], which regulates cybersecurity compliance for any financial institution with business in New York City or New York state. Such laws have both reach within their locale but also beyond their state or their country or their region. They have a real impact on the way that enterprises think about the importance of privacy and security. 

There are a couple of new provisions in China’s cybersecurity law that [are also applicable].

The article “Consumer-data privacy and personalization at scale” suggests that marketing teams be intimately involved in consumer data privacy initiatives. Can you share more about that shift? 

Sorel: I think a lot of consumer, retail and hospitality institutions are all thinking about how to solve the consumer data privacy problem while preserving the benefit and value of digital marketing, search engine optimization and the like. 

In many instances, the core question is: ‘How do I avoid running afoul of the regulatory regimes that are in place while, at the same time, preserving the minimum viable integrity of the data I’m collecting to drive commercial value and insight?’ That is the balance that all of these institutions are trying to, in many cases, strike. 

Part of it is a profit answer in terms of how you treat the data that you’re collecting and what data you’re collecting, and what [type of] notice you give to the consumer. And part of it is a technical answer. You have to figure out how to splice, shield and otherwise mask the data that, in aggregate, reveals aspects of a person’s identity in ways that could be violative of their privacy. That is especially the case if they haven’t consented to sharing that data. And so this particularly affects remarketing as a part of consumer engagement, and how to remarket effectively using data from sites collected from SEO to drive traffic elsewhere — especially in instances where it may not always be known to the user that the data is being collected and used for those purposes.

So how do you change that because you have to under the law, in ways that still allow you to preserve enough integrity with the data to drive commercial input? 

A growing number of organizations are beginning to assign responsibilities such as cybersecurity champions or security and privacy ambassadors. There’s also an emerging role of business-information security and privacy officers. Could you share your thoughts on these trends? 

Sorel: The first thing I would say is that an ambassador is no different from a champion, really, in practice. It’s meant to be somebody in the organization who may not be doing security and privacy as their day job for the company. But this person is passionate enough about the topic — or [privacy or cybersecurity] is critical enough to their work — that they have reason and occasion to know more about the topic and resources and best practices than other employees. And through that, they become an advocate for those practices in their organization. 

In terms of the business-information security and privacy officer role, the idea of having someone who sits at the intersection of the cybersecurity function and the business is not particularly new. It may be in an early stage of adoption, but it’s not particularly new. The business-information security and privacy officer role’s value is to act as a two-way street between the cybersecurity function and the business. This is both to make sure that the business is meeting the requirements of the cybersecurity function for the enterprise, but also as the business evolves, that the business sees feedback about those cybersecurity requirements fed into the updates and revisions and redeployment of new policies and controls, and capabilities, to enable the business going forward. 

And that’s been the value of that role in the enterprise. I think what we’re seeing today is more of the convergence of security and privacy duties in single roles in the enterprise. From a risk perspective, particularly on the tech side, they tend to catch a lot of the same people a lot of the same way. Where, of course, as we mentioned earlier, the regulatory nuances are material between the two and different, but the core element of a risk-based approach for the day-to-day operations of the business are quite similar. And the BISPO role is the next generation of the role that sits at the intersection. You can almost call it the tech risk function, which includes security and privacy and the business itself.

The article “Consumer-data privacy and personalization at scale” recommends building security and privacy into enterprise analytics. Can you summarize why that’s important? 

Sorel: It depends on what type of analytic problems you’re trying to solve. 

The first thing to understand when you’re trying to build out an analytics capability is making sure that you’re building security and privacy into it. Typically, you’re taking a use-case-based approach to the analytics capability of your building. And before you actually begin to use it, or even build it, you’re clear and aligned on what is going to be your set of policies and controls for managing access, for managing the data that runs through it, for managing the output that it generates and the uses to which those outputs are executed. And then, you make sure you’ve established which maturity capabilities from your existing stack need to be extended, and which incremental capabilities you might need, given changes you’re making to your infrastructure architecture. 

The last thing I would say is that it is vital from a process perspective to make sure that you have in place the right governance committee, ideally, from both the business and technical side. The committee should convene regularly and make decisions about how to deal with issues that may arise as you go. Regardless of how well you plan, the nature of most analytics projects is that they’re complex, and [it is impossible to anticipate] all of the security and privacy issues that may arise as you execute.

The notion of tokenizing consumer data received considerable attention last year, given the surge of interest in digital ledger technologies then. What role do you see tokenization playing for consumer data? 

Sorel: Tokenization is just a way of just encrypting data points in such a way that there is not further decryption along the way. It ends up being a pretty impenetrable and secure channel for transmitting data from sender to recipient. Tokenization is used a lot today in financial services, particularly in payments but not really at scale elsewhere, although payments affect retail and the consumer sector — any industry where you’re having a consumer make a payment with a credit card. Also, tokenization can be in the enterprise B2B context where B2B payments occur. 

So tokenization is there for transactions. It has not yet scaled to consumer data. That’s the opportunity we are getting at. It’s very early days. I would say that it has not been adopted at scale. 

I think for other types of masking, [we’re seeing] a similar story. It mostly has to do with the only recent awareness of the imperative to engage in that type of masking [or] the consequence of recently passed regulations and requirements for treating consumer data carefully and in a way that meets the security and privacy expectations of the existing regulatory regime as well as the preferences of the consumer. 

To summarize, any final advice on how organizations can improve their standing with customers by prioritizing privacy and security initiatives?

Sorel: A number of institutions across a few industries are grappling with how to ensure a secure customer experience. We know from clients we’ve served that you can improve the Net Promoter Score of a company by improving the security experience of the customer with the company. And this is especially true in financial services. But anywhere that you have any clickthrough identity validation or another type of security protocol, it is especially true. 

And so what do effective and leading practices in customer experience look like? It’s all about empowering the user to set the standard they want to follow for validation through the medium and the means they prefer. You need to make sure that you do it in a relatively clickable and labor-free way. So that typically means, tactically, [providing clear options for consumers when they] are first engaging with the enterprise. The key is having a lot of different options for how they can set their preferences, but also providing an ongoing perspective on what they might want to choose as a way to empower them to have control over their experience. And typically, when the consumer has that control, they end up having a better experience, which then leads to all the other good things that come with a relatively better customer experience.

 

Tags: Retail Security Q&As

Related


  • Eurotech explains why “security by design” must be at the core of every IoT deployment
    When it comes to the Internet of Things (IoT), good cybersecurity practices aren’t just an optional extra, like buying a fancy case for your new smartphone. They need to be built into devices from the ground-up as a fundamental building block for connected devices. Few companies in the space understand this better than Eurotech, one […]
  • IoT security
    IoT Security: A White Hat Hacker Clarifies a Fuzzy Subject
    IoT may be seemingly everywhere, but it is often poorly understood and secured. The IoT research lead at Rapid7 shares concrete advice on what is often a nebulous subject. 
  • IoT security
    New International Laws Pose New IoT Security Questions
    Security has long been a thorn in the side of IoT. But what are the ramifications of the uptick in nations aiming to control data flow within their borders? 
  • Vendon
    Why AT&T and Vendon Are Partnering on IoT Vending Machines
    The concept of IoT vending machines has is becoming mainstream. Here, we talk to vending machine telemetry firm Vendon and its partner, AT&T. 

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Q&A: Cisco Exec Dishes on Industrial IoT Security and DeOS
  • IoT World Q&A: IoT Adoption Is Risky, but Not Deploying It Is Riskier
  • A10 Networks Q&A: IoT Device Security Demands Deliberation
  • The Key to Leveraging Industrial IoT Data? First Do No Harm

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Europe’s First Automated Gas Station Convenience Store dlvr.it/SR45J9 https://t.co/eDJDJ7CxkI

25th May 2022
IoTWorldToday, IoTWorldSeries

Zero-Emission, Autonomous Cargo Ship Under Development dlvr.it/SR3xgb https://t.co/3oU7CrKWkW

25th May 2022
IoTWorldToday, IoTWorldSeries

Hannover Messe 2022: 5 Key Themes at This Year’s Show dlvr.it/SR3wtW https://t.co/j0fQUiU2LW

25th May 2022
IoTWorldToday, IoTWorldSeries

Can AI Help Stop Mass Shootings? dlvr.it/SR3tqK https://t.co/VxPBdajWA3

25th May 2022
IoTWorldToday, IoTWorldSeries

China has revealed an autonomous marine drone carrier dlvr.it/SR3qXs https://t.co/yMiiqeMNrZ

25th May 2022
IoTWorldToday, IoTWorldSeries

ISQ’s #UAV inspection drones will be on display at this year’s @hannover_messe dlvr.it/SR35dg https://t.co/U6QOQtMbGw

25th May 2022
IoTWorldToday, IoTWorldSeries

👀 Looking to integrate #AI into your manufacturing process? Explore how #manufacturers can begin the process of… twitter.com/i/web/status/1…

25th May 2022
IoTWorldToday, IoTWorldSeries

The U.S. Army is getting a 5G boost for #AR #VR capabilities from #5G network provider @OceusNetworks.… twitter.com/i/web/status/1…

24th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X