When Paul O'Neill famously transformed Alcoa by focusing on worker safety, he performed an act of corporate alchemy that any CEO would envy. How did he do it? At the heart of Alcoa's transformation was a dogged focus on a single habit — a key that unlocked solutions to the myriad problems that had been restraining company growth. While worker safety may not be your issue of choice, this story suggests that in a data-driven business environment riddled with leaks, breaches, and compromises, focusing on the goal of zero information loss may be the keystone habit that can unlock success for your company.
What if an information security program could actually yield happier customers, inspired employees, and ultimately greater profits? Well, that's the promise of a little-known stratagem called the "keystone habit" — the application of a laser-focus to a single corporate goal.
The real power of the keystone habit lies in its many ripple effects. When paired with information security, for example, it can drive improvements in processes across the entire organization — simply because every organizational department handles sensitive information. As such, it's a habit that can impact people, processes, and technologies in equal measure to make over operations in the kinds of value-adding ways that distinguish the world's best companies. The big idea is that when an organization decides to make a habit of managing its habits and behaviors, rewards follow.
Why zero information loss? Because in today's data- and privacy-driven world, it is a clear and compelling corporate target. Data is the fuel of business. But while it is big and ubiquitous, data is also fragile. If an organization's informational assets, including those of its customers, are not to be lost, stolen, corrupted, or abused — which, as everyone knows, happens on a daily basis — the handling of those assets will require a great deal of dedicated, competent, and disciplined care.
There is no question about it: data has a shadow side. Security breaches happen, customer trust is frequently destroyed, and massive monetary losses result. It's no wonder then that information security is a top executive concern: breaches are extremely costly, not only in real terms, but also in customer churn and loss of shareholder value.
But what, exactly, is a keystone habit and how does it work? Simply stated, it's a single strategic corporate value that can be summed up in a concise, if not pithy, expression — one habit around which everybody in an organization can rally. In Alcoa's case, the keystone habit of worker safety not only eliminated injuries, but the organizational, operational, and procedural changes involved in eliminating those injuries contributed to better union relations, engendered broader worker empowerment, inspired more innovation, and ultimately yielded the highest profits in the company's history.
In making the case for zero information as the object of the keystone habit, all one has to do is consider the sobering reality of the information security landscape: Globalization, mobile technologies, and the unbridled proliferation of data have converged to all but eradicate the traditional organizational boundaries — and eliminate along with them the customary information security measures that used to keep data safe. No longer is information security the sole province of the IT department. It is, quite literally, in the hands of employees, contractors, and partners, whose grasp of information security principles is tenuous at best. Consequently the ranks of executive management have been increasingly compelled to change the way they view this business imperative. The fact is that once data goes digital it becomes inherently vulnerable to a great many forms of nefarious activity. And with more than 80% of an organization's intellectual property also in digital form, far more than customer information is potentially exposed.
Consider the life cycle of a single piece of information — any piece of information. It could be a customer record, a product order, a sales report, process documentation, or a trade secret. It might be a patent description, a schematic, or raw data in support of a market research project. For that given piece of information, what was its point of origin? Who created or captured it? Who accessed it or shared it? With whom was it shared? In how many places has it been stored? You get the idea. Now trace the path of that data inside — and outside — your organization and you might be surprised to discover how many times and in how many ways and how many places it changed hands, minds, and machines. And at every one of those points of exchange, some form of human behavior was likely involved. What was the nature of that behavior? Did it follow the necessary protocols and care? Now multiply this scenario across every activity within every department across your entire organization, every hour of every day. In no time, you'll see how the objective of zero information loss leaves no organizational stone unturned.
Many CSOs are coming to see information security as a holistic, enterprise-wide concern that extends well beyond infrastructure to the far less predictable — and less controllable — human endpoint. And those human endpoints have habits — some good, some not so good. And others yet have discovered that elevated competencies in information handling can actually be a competitive differentiator, particularly where customer trust is essential. So rather than simply complying with cost-incurring regulatory requirements, why not leverage them to create a financial return? Why not co-opt an administrative burden to enable better business processes and practices?
No doubt, instilling the habit of practical, measurable security mindfulness will require a change in the corporate culture. But if a change in the organization's habits can also substantially alter the competitive landscape, then stoking the formation of motivated habits will be well worth the effort. Seen in this way, zero information loss is a strategic objective for all organizations seeking not only to protect their customers' privacy, but reinforce brand reputation, build loyalty, ensure regulatory compliance, and grow revenues in the bargain.
John Schroeter is Director of Marketing at MediaPro, a provider of security awareness training solutions. Tom Pendergast, Ph.D., is MediaPros Director of Product Strategy and Instructional Design.