If you ask any e-commerce founder why they got into the field of digital commerce, you'll get a variety of responses. To create a global brand? Sure. To enter enormous new markets? Absolutely. To amass a fortune and retire wealthy. Yes, please!
What you won't hear is someone suggesting they got into online retailing so they wouldn't have to worry about cybersecurity. In the realm of e-commerce, cybersecurity — and its unruly counterpart, regulatory compliance — is regarded as a necessary evil at best. Of a doubt, your organization requires strong digital security and data-privacy architecture, but you don't want to waste your valuable time delving into the specifics of these concerns.
That must change. Two of the information security industry's leading figures — NSA alum Jeff Man and veteran white-hat security pro-Joseph Kirkpatrick — made it clear in a recent episode of the B2B Commerce Uncut podcast that in today's fast-changing world, security isn't something businesses can overlook, neglect, or simply outsource. It is time for founders to step up and take responsibility for their company's security.
Compliance vs. Security
Many founders believe that if they are meeting their legislative duties, they are also protecting themselves and their customers' data from security dangers. The goal, however, should not be to meet your regulatory duties and then quit; rather, it should be to pay close enough attention to the security capabilities that you meet and surpass your regulatory obligations without breaking a sweat.
In other words, if you're effectively detecting and mitigating security issues, your regulatory responsibilities should be simple to meet. The issues arise when you look through the opposite end of the telescope and consider regulatory compliance to be the primary goal. "Compliance is just a reflection of security to me." "They're kind of the same thing," Man explains. "Really, compliance is just a yardstick - a measure to evaluate or analyze how well you're doing."
This is crucial to understand because regulations are always reactive. If there is a law prohibiting running out of petrol on the Autobahn, it is because one unfortunate motorist failed to fill his tank, causing gridlock. Similarly, regulatory regulations reflect previous errors and failures but do little to shield you from future cybersecurity threats.
Companies must be proactive rather than reactive in today's environment of fast-moving and well-resourced cybercriminals. This necessitates dedication to staying ahead of the curve rather than just ticking off the rules imposed by bureaucrats. "It's about the unknown - things we couldn't plan for," Kirkpatrick says.
Outsourcing's Limitations
Many e-commerce owners understand the need of cybersecurity but believe they can outsource the majority of their operational needs to third-party vendors. This is especially true in the modern era of SaaS tools and public cloud solutions: if you're purchasing services that are supported by Amazon or Google's cloud infrastructure, you could assume your security requirements are met.
That is just partially correct. When outsourcing fundamental security operations, it's critical to pay close attention to what you're actually getting. Major cloud providers frequently include a comprehensive set of best-of-breed security capabilities — but they consider them as optional add-ons, and it's up to you to click the button and enable them.
That will inevitably imply paying for the services you require, and dependable cybersecurity is not cheap. Again, you cannot avoid paying attention and exercising necessary diligence. "There is a cost to security," Man explains. "You have to work out how much you want to spend, where you want to spend it, and where you want to invest."
Beyond cloud providers, businesses frequently look to consultants and outside partners to manage their security needs, indicating how strongly they want to delegate responsibility for their cybersecurity to someone else. Of course, you get what you pay for when working with third parties, and even premium security firms will only supply things that you specifically request.
All too frequently, businesses feel that by signing with a third-party security firm, they have covered all of their bases — but they fail to communicate with and monitor their new partner. This can result in them discovering, too late, that important features were never enabled, or that some datasets or sections of their operations were omitted from their coverage.
While you can hire individuals to help with your security, the ultimate duty for keeping your organization and its data safe is not something you can simply delegate. The onus is on you to ensure that you are fully informed about the services your third-party partners are offering and that they are following through on their pledges to keep your data safe.
Never, ever stop working.
So, what are the key takeaways for today's e-commerce executives?
Bottom line: It's time to start thinking about cybersecurity as a crucial competence for your company. If you get security wrong, you risk jeopardizing all of the time, energy, and resources you've invested in creating your brand and moving into new markets.
That means not viewing security as a matter of compliance or a box to be checked. It also entails personally overseeing your company's security efforts and following up with third-party providers to verify that commitments are maintained and essential safeguards are done.
Finally, it means realizing that security isn't a one-and-done component that should be built once and then left alone. It's preferable to think of it as a continuing process. We are continually seeing new issues and risks develop, and e-commerce firms must remain attentive in order to secure their data, operational capabilities, and customers.
"You just cannot be responsible for something so important to the success of your organization," Kirkpatrick argues. "You have to be constantly cautious and on the lookout for it."