Products compete in the market based on companies’ prowess in R&D, engineering, operations, sales, and customer support. In established categories, which account for 87% of new products, companies continue to face diminishing returns for their efforts in delivering value and getting prices through new features while constantly feeling cost pressures. Product cybersecurity can now offer a pathway to substantially impact the price-value equation for digitally connected products. It, however, demands institutionalizing new operating processes - a competency developing activity - not just creating Chief Product Cybersecurity Officer (CPSO) roles.
Product Managers are the CEOs of the products when they are given budget and resource allocation authority. They operationally lead by managing product-related requirements, essentially the ones that contribute to three key elements: value, price, and cost. A product manager’s leadership in optimizing value-price-cost for a product is critical to achieving margin accretive growth as highlighted in the figure below.
The recent uptick in cyber-related incidents and their impact on businesses, infrastructures, and people is leading regulators around the world to introduce laws pertaining to product cybersecurity. Singapore introduced the voluntary Cybersecurity Labeling Scheme (CLS) last year that rates the level of security for smart devices to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimize functionality and cost. Similarly, the US signed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 earlier this year, which requires NIST and OMB to release requirements relating to product cybersecurity and policies for procuring such network connectable products in the government agencies. In fact, NIST is considering a framework similar to CLS.
A vulnerable network connected product creates risk associated not only with its own availability and functionality but also the entire connected network and other components connected therewith. In many applications, the security of data that a product or the associated network contains, or outputs, is also very important. Such connectable products can be differentiated by incorporating robust cybersecurity as a feature, just like how superior quality is incorporated in Japanese cars and later positioned as such.
As shown in the example below, a pump within a medical network can cost approximately $2,000. A healthcare facility would likely spend more than twice its cost in implementing compensating controls to keep it secure over its lifecycle. If this device were breached, it could create patient safety and/or data security risk well in excess of its cost. Clearly, in this case, value from good cybersecurity can outweigh many value-added features of the product. To that point, healthcare providers may even pay a little extra for the pump if they are assured of robust cybersecurity considering the fast-escalating ransomware risk!
The value can be internalized from the recent Elekta software breach for which this Swedish radiotherapy equipment maker faced lawsuits. The breach to Elekta’s cloud-based radiology software caused patient care disruptions at many health systems including Intermountain, Advocate Aurora, McLaren, and Northwestern Memorial.
It is well understood that a price realized for a product depends heavily on how much value is recognized by the customers; the value might be in a form of superior capability or lower cost. Hence, companies spend considerable efforts in differentiating their products and associated value. The level of cybersecurity incorporated into a product, as shown in the following figure, can serve as a differentiator; higher levels of cybersecurity can offer incremental value beyond what might be required by a growing number of regulations. Products can instantly be differentiated based on the built-in cybersecurity if some form of a labeling scheme, as rolled out in Singapore, is adopted widely.
Behind closed doors, many companies worry that incorporating robust cybersecurity into products would translate into a higher cost-structure because such an endeavor requires additional engineering resources in addition to scarce cybersecurity talent. The concern is not without merits! Hence, the level of cybersecurity offered must be a part of the product manager’s value-price-cost equation to optimize.
Many companies are addressing their product cybersecurity goals by creating CPSO roles and funding their respective organizations. These teams typically act as internal consultants. While this is the first right step considering the need for cybersecurity related skills, if these skills are not ingrained into the broader organization and associated practices are not infused into the product development and life-cycle management processes, companies will face increasing cost with diminishing value. Hence, product cybersecurity related efforts should be similar in nature as the ones relating to product quality. In fact, companies can apply the “total quality” approach and its associated playbook to product cybersecurity to ensure a superior repeatable outcome at a lower cost. They can standardize practices, leverage assets, measure performance, and govern product cybersecurity efforts with appropriate metrics by creating Centers of Excellence (CoE).
Many assessments have uncovered that up to 60% of devices tend to be vulnerabilities at any given point in an organization. This is partially due to an organization’s lack of sufficient efforts and partially because of inadequate cybersecurity related support from device manufacturers. Users face substantial cost implications in managing their risks. Hence, good cybersecurity support can serve as a differentiator and offer margin accretive growth potential.
ResiliAnt’s solution allows you to build excellence in product cybersecurity. The solution incorporates a set of tools and best practices to deliver up to 65% cost productivity. ResiliAnt can build and/or support your product cybersecurity CoE covering the full portfolio of your network connectable products. To learn more about the topic, approach, and our solution, email us at info@ResiliAnt.co.