Ask any e-commerce founder why they got into the world of digital commerce, and you’ll hear many answers. To build a global brand? Sure. To reach vast new marketplaces? Absolutely. To make a fortune and retire rich. Heck yeah!
What you won’t hear, though, is anyone saying they got into online selling because they wanted to spend their time worrying about cybersecurity. In the e-commerce world, cybersecurity — and its unruly counterpart, regulatory compliance — is seen as, at best, a necessary evil. Of course, your company needs robust digital security and data-privacy infrastructure, but that doesn’t mean you want to spend your precious time immersed in the details of these issues.
That needs to change. In a recent episode of the B2B Commerce Uncut podcast, two of the information security industry’s leading figures — NSA alum Jeff Man, and veteran white-hat security pro Joseph Kirkpatrick — made it clear that in today’s fast-changing world, security isn’t something that businesses can overlook, neglect, or simply outsource. It’s time for founders to step up and start taking ownership of their company’s security.
Security vs. Compliance
Many founders think that if they’re doing enough to meet their regulatory obligations, they’re also doing enough to keep themselves and their customers’ data safe from security threats. But the goal shouldn’t be to meet your regulatory obligations and then stop — it should be to attend closely enough to your security capabilities that you meet and exceed your regulatory obligations without breaking a sweat.
If you’re detecting and minimizing security problems effectively, in other words, your regulatory obligations should prove easy to meet. The problems start when you look through the other end of the telescope and treat regulatory compliance as a core goal. “To me, compliance is just a reflection of security. They’re kind of one in the same thing,” explains Man. “Compliance is really just a measuring stick — a way to evaluate or assess how well you’re doing.”
That’s especially important to remember because regulations are always reactive. If there’s a law against running out of gas on the Autobahn, it’s because of that one time some unfortunate person forgot to fill his tank and caused gridlock. In the same way, regulatory mandates reflect past errors and missteps — but can’t do much to protect you against future cybersecurity challenges.
In today’s world of fast-moving and well-resourced cybercriminals, companies need to be proactive rather than responsive. That requires a commitment to staying ahead of the curve, rather than simply checking off the rules passed down by bureaucrats. “It’s about the unknown — the things we couldn’t have planned for,” Kirkpatrick explains.
The Limits of Outsourcing
Many e-commerce founders do recognize the importance of cybersecurity but assume they can largely outsource their operational needs to third-party providers. That’s especially prevalent in the new era of SaaS tools and public cloud solutions: if you’re buying services that are underpinned by Amazon or Google’s cloud infrastructure, for instance, you might assume your security needs are covered.
That’s only partly true, however. If you’re outsourcing core security functions, it’s important to pay close attention to what you’re actually being provided with. Often, major cloud providers offer a full range of best-of-breed security features — but they treat them as optional add-ons, and it’s up to you to click the button and turn them on.
Inevitably, that will mean paying money for the services you need, and reliable cybersecurity doesn’t come cheap. Again, you can’t get away from the need to pay attention and do due diligence. “Security comes at a cost,” Man says. “You have to figure out how much you want to spend, where’s the right way to spend it, and where to make your investments.”
Looking beyond cloud providers, companies often turn to consultants and outside partners to manage their security needs — a sign of how badly they want to be able to pass responsibility for their cybersecurity to someone else. Of course, when you work with third parties, you’ll get what you pay for, and even premium security providers will only provide services you specifically request.
All too often, companies believe they’ve covered all their bases simply by contracting with a third-party security provider — but they fail to communicate with and check up on their new partner. That can lead to a situation where they discover, once it’s too late, that key features were never turned on, or that certain datasets or sections of their operations were excluded from their coverage.
The reality is that while you can pay people to help with your security, the ultimate responsibility for keeping your company and your data safe isn’t something that you can simply delegate away. The buck stops with you — so make sure you’re completely up to speed on what services your third-party partners are providing and follow up to ensure they’re actually keeping their promises when it comes to keeping your data safe.
Never Stop Working
So what’s the takeaway for today’s e-commerce leaders?
The bottom line is that it’s time to start viewing cybersecurity as a critical capability for your business. Get security wrong, and you’re putting at risk all the time, energy, and resources you’ve dedicated to building your brand and expanding into new markets.
That means not treating security as a question of compliance or as a mere box to be checked off. It also means taking personal responsibility for supervising your company’s security efforts and following up with third-party providers to ensure that promises are being kept and that necessary precautions are being taken.
Finally, it means understanding that security isn’t a once-and-done component to build out and leave in place forever. Instead, it’s better thought of as an ongoing process. We’re constantly seeing new challenges and threats emerge, and e-commerce brands need to stay constantly vigilant to protect their data, their operational capabilities, and their customers.
“You just can’t not be responsible for something that’s so critical to the success of your business,” Kirkpatrick says. “You have to be ever vigilant, and you have to always be pursuing it.”