Bruce Bonsall
Bruce Bonsall
He probably doesn't realize it, but if Bruce Bonsall, the chief information security officer of MassMutual Financial Group, ever gets tired of this whole technology thing, he may have a future in sales Of course given that Bonsall, 49, has led the IT security practice at the Springfield, Mass.-based financial services firm for the past 17 years, he might laugh off such a notion as nothing short of treasonous.

But with sensitive data protection a top concern for most businesses, Bonsall's ability to clearly convey MassMutual's security posture to potential customers — as he has been doing for years to senior management — has provided an unlikely shot in the arm for the sales department.

Case in point: Last year, Bonsall received an email from the company's marketing director, informing him that his presence on a sales call single-handedly helped MassMutual land a $25 million 401(k) plan deal.

“I want to let you know that we clinched this deal because they were very pleased with our security,” Bonsall recalls the email as saying. But even though he and his team of 60 know their work was responsible for closing the multi-million dollar contract — and likely many others along the way — they do not consider themselves a marketing gimmick.

“The security program was never about window dressing,” Bonsall says. “It was about putting in solid security. Our intent was never about having a good story for marketing. It just turned out that way.”
It seems to be turning out that way for a lot of organizations these days. Businesses that leverage their security to create an apparent competitive advantage — namely online retailers, banks and other financial firms — are becoming more common as customers demand trust when conducting business on the web, say experts.

Meanwhile, using security to instill this advantage has become a driver for justifying spending, much in the same way that regulatory compliance has during the better part of this decade.

“We see a lot of companies, especially the more progressive companies, thinking about how they can use security as a differentiator for their business,” says Rob Sadowski, senior manager of technology solutions at Hopkinton, Mass.-based EMC. “It helps them justify the purchase of the technology.”

Businesses can use security to increase consumer confidence that will help drive sales, build brand equity, improve online shopping conversion rates, and increase the number of credit card transactions, according to a VeriSign white paper on the topic. Meanwhile, applying this approach in business-to-business environments can lead to preferred-partner relationships, which often include financial benefits, such as price discounts and favorable payment terms.

“Security is a relatively dense and arcane subject,” admits Edward Kountz, senior analyst in payments and financial services at Jupiter Research. “Approaching it from a marketing perspective helps to put a face on it and makes it more comprehensible.”

Marketing and security merge
Studies across the board have shown that security, or a lack thereof, is a primary reason why end-users are reluctant to do business online. And well-publicized breaches, such as those at Monster.com and TJX, have not helped matters.

But exactly how companies use security to distinguish themselves has no clear precedent and varies from firm to firm. In fact, some experts are hesitant to call security a differentiator, given today's
climate of profit-driven cyberthieves.

“A lack of security provides a competitive disadvantage,” says Greg Thomas, director of research and programs at Emory University's Goizueta Business School in Atlanta and an expert in brand trust.
“It is more of a hygiene factor, or a requirement of industry participation, than a competitive advantage,” he says. “Competitive advantage is something that a firm has that no other firm can replicate, at least in the short term.”

Donovan Neale-May, executive director of the CMO Council, a trade group that represents more than 3,000 chief marketing officers, agrees that when it comes to security, marketers are more concerned about it being a turn-off than a turn-on.

“What marketers look at is resistance to embracing a new product or service where there may be security concerns,” he says. “You don't want security concerns to be the reason why someone doesn't book online.”

MassMutual, for example, rarely promotes its security in marketing materials or advertisements, but is willing to discuss it whenever someone has a question.

“Most recently we have had to get more detailed in our write-ups to potential customers,” Bonsall says. “In the beginning, we provided high-level comments. Now we're giving greater detail because the questions are getting more pointed.”

Bonsall said the company is open to providing general information on some of the key ingredients that make up its defense strategy, which includes vulnerability management, wireless monitoring and application security. Additionally, MassMutual deploys a security information management platform from Archer Technologies to manage its infrastructure.

“I think we have a good story to tell and I understand why companies want to talk to the security person,” Bonsall says. “So, if I can help the business, I'm more than happy to do so. I also firmly believe that information security is not just an IT issue, it's a business issue.”

For online-centric businesses, attracting and maintaining a loyal web customer base is integral to limiting or eliminating resources needed for brick-and-mortar structures — potentially a huge cost savings. But to bring these people online, businesses must prove they are operating securely, experts say.

“Everybody who researches comes back to the same thing, which is that people want to do business online but think it's a frightening thing,” says Tim Callan, a product marketing director at Mountain View, Calif.-based VeriSign. “A business that can convince someone that this is safe has a significant leg up on a competitor that cannot.”

One way to differ from the competition is by appealing to sight and touch. Earlier this year, PayPal, for instance, began issuing tokens to help combat phishing attacks, and a number of other web-based companies have introduced various other forms of two-factor authentication.

Meanwhile, sites such as FileYourTaxes.com — an online tax preparation company — tries to differentiate itself by displaying seals of approval from VeriSign and the Better Business Bureau at the bottom of its home page.

Other sites show off web privacy assurances, such as one from TRUSTe, a nonprofit that certifies that the recipient adheres to certain principles, including the posting of disclosure notices about personally identifiable information. It also offers users the choice of how they want their information used.

Meanwhile, VeriSign has issued extended validation SSL certificates to 1,500 customers to help promote website legitimacy. By contrast, the company has delivered more than 900,000 of the traditional SSL certificates, Callan says. But, preliminary research shows that transactions are up 11 percent at sites where the address bar turns green, a feature of the new cert, he says.

Then there are companies that have worked to build a brand around security. Citigroup, for example, launched a series of popular television spots a couple of years ago to promote its Citi Identity Theft Solutions. The ads depict a variety of individuals speaking in the voice of the thieves who stole their identity. They discuss how much fun they are having using the victims' credit cards.

Similarly, Bank of America copyrighted the Total Security Protection name, billed by the bank as its new, free standard in consumer credit and check card security. It includes zero liability for bogus purchases, fraud monitoring, guaranteed credit and the option of placing the customer's photograph on the front of debit and credit cards

Be careful not to attract hackers
Despite this approach to marketing security, businesses must ensure they strike a delicate balance between drawing customers and avoiding the ire of hackers. Businesses should tout their security postures as robust and forward-thinking, but not as unbreakable and impenetrable, according to experts.

Bonsall says that can be a difficult line to walk.

“The challenge is in giving enough information to satisfy customer questions without giving away too much information,” he says. “Security is not something you always want to be too forthcoming about.”

But, he adds, MassMutual makes no guarantees. “We don't give a 100 percent guarantee, partly because security isn't a point in time,” he says. “At any given moment, I can't guarantee there isn't a new vulnerability in our environment. We follow industry best practices and stay on top of things.”
As threats evolve, tokens and green bars may become a commodity, experts say. But new leading-edge technologies will emerge to maintain public confidence in doing business, particularly online. Some companies will rise above others, either in perception or through actual solution implementation.

Yet, there is still no standard model to quantify just how much security investments and marketing contribute to things like brand loyalty and overall sales.

For now, as Emory's Thomas says, businesses will have to go on the belief that security is a requirement for participation — perhaps nothing more and certainly nothing less.

“Are consumers really swayed by a more visible, coherent approach to security?” Jupiter's Kountz asks. “It's still too early in the game to know. At this point in time, I think it's clear that consumers are concerned. One way to alleviate that is to present information that is less shrill but more straightforward.”

The CMO Council's Neale-May agrees that security may not necessarily serve as a company's primary value proposition, but will forever have importance. “It's always going to be a message point,” he says. “It may not always be a selling point, but it's always going to be a point of reinforcement.”

So, gimmicks and branding aside, perhaps the best way to market security is through transparency and communication. Bonsall is no stranger to that tactic.

“About once a week we get a question via email from a customer,” he says. “We have some materials, but I tell them if they're not satisfied with that and want to deal with me, I'm happy to do so.”

CASE STUDY:
ChoicePoint responds
When ChoicePoint revealed nearly three years ago that identity thieves posing as customers stole 163,000 personal records, the Alpharetta, Ga.-based company's marketing team had to mobilize quickly.

James Lee, senior vice president and chief marketing officer at the company, said his role forever changed after the watershed breach, which has cost ChoicePoint more than $30 million, excluding the $15 million in fines and customer redress imposed last year by the Federal Trade Commission.
“My personal time is spent in large part worrying more about the perception of our brand, the reputation of our brand, than what's the latest brochure that's going to create lead-generation for some product,” Lee says.

Apparently this tactic has paid off. Lee, who joined the 5,000-employee ChoicePoint in 2000, says no customers left after the breach.

“We developed materials and a series of messages to make sure that everyone knew what we were doing and why we were doing it,” he says.  “It wasn't marketing in the classic sense of driving sales or revenue. It was communications in the classic sense of driving awareness.”

That meant ChoicePoint personnel speaking with customers whenever they had questions or executives appearing at various conferences to openly discuss what happened and how the company reached the point where it is now considered a privacy leader.

“We're like the elder statesman at this point,” Lee says. “We went through a very difficult time. We survived. We learned things that are valuable to other businesses. We haven't tried to build a brand around it or a product set around it because we don't think that's appropriate.”
 — Dan Kaplan