Privacy and Security The New Startup Core Competency?

“The paradigm for cybersecurity has changed dramatically in the past 5 years. Industry Regulations, Customers and Partners expect and will force you to comply with basic safeguards but much more is required to really protect your IP, 3rd Party Data, and reputation. ..Leadership in products and services is only possible when an expert in cyber and privacy is ingrained in the firm.” -- Curtis Hutcheson, CEO of Infocyte

The explosion of new ideas, products, and services requires new entrepreneurs and small-business owners to stay focused on what makes them and their products unique, and stand-out in the market where you want to compete. To be successful, entrepreneurs and small-business owners need to understand their “core competencies” their magic sauce, and not fall into the model that everything can be outsourced. There are a few models where this has been a viable model, but for most, keeping the “core competencies” in-house, or close to home is key to speed, growth, learning, and adaptation.

The term first originated in a 1990 Harvard Business Review article by C.K. Prahalad and Gary Hamel titled “The Core Competence of the Corporation." The authors identify this concept as the “secret sauce” of business.

As the technology market has matured in the last ten years, and more regulations and laws have come into effect, small technology and data companies are finding that one of the “core competencies” that is limiting their growth, is a lack of focus on privacy and security. Less than 10 years ago, many technology companies were able to get started and get their ideas and products into the market, with limited risk. Today, procurement departments, third-party risk management programs, and other similar “gates” have been implemented, making it hard for new systems and solutions to be tried and tested, unless some basic privacy and security controls have been put into place.

It’s a good idea to learn more about these gates and understand this critical business sales and growth concept and then determine your company’s privacy and security core competency for maximum gain. Here are five core competencies that you may need, depending upon your customers and the privacy and security requirements that you need to be able to address.

Define Your Privacy and Security Core Competencies

It is important to understand that when we talk about privacy and security requirements, there are hundreds, if not thousands that could be applicable depending upon your client, their locations, and the type of business and data that they process and store. PwC’s recent release of Risk Atlas collects over 2,000 laws and regulations from around the world, that could be applicable to a global business. PwC Risk Atlas centralizes global privacy and security regulatory requirements, controls, and standards that can be customized to your organization’s business processes. Stay up to date on authoritative sources, know when to take action, create a prioritized implementation plan, and track its efficacy — all in one place.

To start to define the privacy and security competencies right for you and your organization, there are five core competencies that you should consider:

Policies, procedures, privacy & security requirements, and control framework. This is a set of documents that establish for your marketing team, sales resources, and your technical development team the minimal privacy and security requirements that your organization can meet today, and its roadmap for meeting these in the coming months or years, depending upon client requests. We are finding that the roadmaps to remediate are getting shorter and shorter as more companies implement stronger procurement and TPRM programs.

Governance / Project Management Office. If you have a roadmap, it is often difficult to translate the who, what, where, when into actionable plans, usually since most staff are already busy with other core competencies, or they do not have the knowledge and skillset to build and document you something that will be acceptable by your clients. Here is a focus on making sure you have someone knowledgeable of these capabilities, and that can get you across the finish line.

Security / Privacy Technology Architecture. A lot of vision and foresight goes into the development of every new product and service, and speed to market is key to success. But as you are making design and architecture decisions, it is important to have someone thinking about and asking the right technical architecture questions, so that certain design decisions do not limit your ability to get a product to the market, or quickly make adaptations. We have seen authentication designs that work for small users, totally not meet a corporate client who is 1,000 times sales.

CTO/CISO/CRO. At some point, you are going to need someone who can integrate the chief technology officer, chief information security officer, chief risk officer, and chief privacy officer roles and responsibilities. Starting out, these will be maybe advisory roles, but eventually, when you need someone at the table to assist with contract negotiations and sales presentations, for clients that are focused on privacy and security, you should consider having someone at the table who knows your company and products and can help guide you in what you can and can not do, in what timeframes, to meet these large client opportunities.

Product Vulnerability Management Services. The last major core competency to consider is demonstrating to your clients and the market how well your product and services protect data, and meet security design and configuration standards. This can be done through the use of various third-party technology services, possibly internal quality control and testing procedures, and even more robust third-party certifications should they be required for companies that deal with healthcare or financial data.

The reality today is two-fold. First, every company is collecting and using data, and so are responsible for it and how it’s used. 

Second, consumer’s trust in data privacy and security is at an all-time low, while the value to a business is at an all-time high and to all brands, not just tech companies.

Privacy and Security should be core as we suggest but also there is another fundamental reason -- leaders will emerge who stand-out in terms of Privacy and Security.

"People increasingly see privacy as a fundamental human right, even though personal data flows freely in our connected economy. Savvy organizations understand that if they want to build trust and loyalty over the long term, they have a responsibility to protect consumer information and live up to their users’ expectations about how their data will be used.” -- Jules Polonetsky, CEO of Future Privacy Forum

As you look at your growth plans and strategies for the next 12-18 months, it is important to understand what privacy and security core competencies you are going to need to get to and close on the clients you are focused on from a go-to-market perspective.

About the authors:

Paul Hinds

Any opinions in this article are not those of PwC or its clients. The opinions in this article are the author’s opinions only. Paul Hinds is a practice leader in PwC’s Cybersecurity, Privacy and IT Risk practices. He works with private equity firms and their holdings providing Board and Executive Management risk management and IT security and privacy services. Paul can be reached at Paul.Hinds@pwc.com and (224) 723-4817.

Mitchell Posada

Mitchell is a former product leader now focused on helping startups transition to scaleups through product, business development, go-to-market execution, and investor relations with FounderAdvisors.tech. Mitchell works with early-stage teams to achieve sales momentum, providing hands-on de-risking strategies to accelerate achieving product-market-fit or scaling-up. Mitchell can be reached at mitch@founderadvisors.tech.