And now for something completely different. We have a special guest this time on Security > 140. Ok they are all special,but instead of talking about ABAC or Static Analysis or API economy or identity or software security or Netflix security or security writ large, instead of all that we are going to talk brands.
Bruce Tait is a Founding Partner at Tait Subler, a strategic consultancy specializing in the development of holistic, highly-differentiated brand strategies.
All of us in infosec have heard the term brand bandied about many times, on the receiving end of other's definitions of brand, the meaning can seem a bit, shall we say, fluid. I wanted to hear the straight dope from a leader in the field, and get some thoughts on how to assess and measure risk, and what to prepare for to defend the brand as an asset.
Gunnar Peterson: Information security has to deal with a lot of different kinds of risk, some are technical and some are business. One area that confounds a lot of tech folks is brand. We hear it all the time, but how much does it really matter? Coca Cola can sell sugar water for billions of dollars all over the world, so brand obviously can make a big difference, but all brands are not created equal, right? What qualitative factors should we look for to identify a brand at a company or if the company has one at all?
Bruce Tait: There are a lot of complicated definitions for “brand” and many marketers disagree on the meaning but the most straightforward and useful way to think about a brand is this: brand=reputation. Just as a person’s reputation is based on what they do, more than what they say about themselves, a company's or product’s reputation is based on how it acts and performs — in all ways. Brand is not just a marketing concept that is impacted by advertising or visual identity (logo, etc.). Everything an organization does impacts the brand.
The thing that makes some brands more valuable is that some organizations use the brand as the conceptual center of the their business plan. So the brand (reputation) the company wants becomes the key filter for all decision-making. For example, a shoe manufacturer might ask this question — “Will this manufacturing decision to have children in Bangladesh make our shoes be in keeping with our brand concept of ‘empowerment’?" If the answer is no, then another factory needs to be used that does fit with the brand strategy.
Communication (ads, PR, social media, etc.) can magnify the aspects of an organization’s actions they want people to notice the most and they can create a conceptual framework or expectation that adds value to the experience of a product or service, but they cannot cover up or change the totality of actions that create a brand (reputation).
GP: Are there ways to tell if a brand is getting stronger or weaker over time?
BT: Yes. Most sophisticated companies do brand tracking research that measures brand imagery attributes (both positive and negative) to determine whether their brand imagery is getting closer or further away from the brand image they want (their brand strategy). There are also measures like the Net Promoter Score that can be measured over time. This type of score determines the degree to which people would recommend the brand to friends, associates or family.
GP: What measurements can you use to quantify brand strength? I assume the public customer surveys are not worth much but what about profit margins? Customer retention?
BT: Brands are assets and can be valued like other assets (based on discounted cash flows) — Interbrand does a valuation of the top 100 brands in the world for Bloomberg every summer. We look at measures like this to see if we are increasing the brand’s equity or not with our work. For instance, after we worked with Gucci, they moved up 20 spots on the top 100 list, increasing the valuation of the brand by about $4 billion and making the brand more valuable than Starbucks and Lexus, combined.
But as above, understanding how a brand’s target group looks at the brand and what dimensions of brand imagery are improving or worsening is far more helpful diagnostically than looking at profit margins or customer retention. Profit margins can decrease because raw materials costs spiked — can’t blame that on the brand. Customer retention may be down because the company is trying to shed unprofitable customers or some other strategic and intentional reason. If you want to know about how well the brand is doing, look at the brand’s reputation in the minds of its targeted consumer.
It’s important to remind brand managers that brands live in the minds and hearts of their target group. That’s where you need to look to see how it’s faring.
GP: There have been so many data breaches over the last decade, but the pace and impact keeps going up. These days you cannot pick up the Wall St Journal without reading about "cybersecurity." Target is the most recent major example, what should companies do to protect their brands before and after a breach event?
BT: The best way to protect a brand from an unintended negative event is to create what we call a “values connection” with your customer. This builds the most powerful form of trust (identity-based trust) which is largely irrational. The other kind of trust is called calculus-based trust and it’s completely rational (See the study — Lewicki, Tomlinson. ‘Trust and Trust Building: Beyond Intractability, University of Colorado, 2003). If you do what you say you’ll do consistently, you can build calculus-based trust. But the first time you disappoint me that trust is shattered. It’s not resilient at all.
Now if you create a values connection by communicating to your customers what your values and beliefs are — what your purpose is as an organization (beyond making money) — consumers or customers who agree with your life view (your values) come to think you have their best interests in mind, especially if your actions prove that you mean what you say. This builds identity-based trust. Apple is the best example of this. Ask any Apple devotee about whether the brand lets them down and they will likely say it does all the time, in ways large and small. But they have that Apple logo on their car to tell the world that they are “Apple People.” Apple under Steve Jobs did a great job of explaining that it’s a company dedicated to making “tools for creative minds” (their intended reputation, or brand strategy). People who want to feel they have creative minds say, “I agree with Apple and I value creativity too.” In fact, the Apple logo comes to represent that values system and purpose more than it does computers. Apple has created incredibly powerful identity-based trust.
It will take a lot of egregious mistakes that are counter to their purported purpose to shake that trust. It’s a well-insulated brand for now.
Now Target is an interesting example. As the stories start to emerge that allege they didn’t act quickly when the alarms were sounded, it hurts the brand much more than the original incident. It suggests some kind of insensitivity to many people we’ve talked to and an indifference to the best interests of their customers that cuts right to the quick of any identity-based trust they have. It’s a dangerous time for that brand, especially if the reminders of this incident stay in public view for too long or continue to leak out a little at a time for a long time. In the best case, it will deplete the identity-based trust around the brand, which de-values the asset.
GP: In your view how much brand equity is at risk based on the dependencies on other companies? For example, Netflix runs its service on Amazon's cloud. If Amazon's cloud has a breach then Netflix's customers could be at risk. The consumer does not care about Netflix' internal issues they have a relationship with Netflix not Amazon, but the service provider execution could lead to an issue for Netflix. How should companies think about playing defense here?
BT: People may be angry at Netflix, but if Netflix used a known and respected supplier like Amazon, I think the crap runs downhill here and Amazon is hurt more than Netflix. In this case, the consumer could say, “that could have been me because I deal with Amazon too" (albeit in a different context and business). The key is how the consumer views the intentions of the company that has made the mistake. If they see the intentions as being good, then it can be viewed like a natural disaster and they may be off the hook.
In this case, hypothetical case, Neflix didn’t use some shaky foreign company to try to make a bit more money, they were simply burned by trusting Amazon… If the consumer believes Netflix still had my best interests at heart, he or she will forgive them much more quickly than if the problem was an act of arrogance or indifference on their part. We all hate to feel like “they really don’t care what happens to me.” Back to Target, they need to show that they really, genuinely do care because the latest news seems to indicate otherwise. They need to re-prove the things that made people love them in the first place and they need to take responsibility, plea mea culpa (diminish the perceived arrogance) and visibly fix the issue.
The classic case for addressing a problem like this is Tylenol’s product tampering situation. They did everything right and it’s a case taught in business schools today. You can bet a lot of people at Target have been reviewing it lately.