Crisis creates momentum for security initiatives. When the existing ways no longer work, change becomes possible. It could be as mundane as an audit finding, or it could be as high profile as a security breach. Once it happens, once things get moving, implementing security controls become much easier.
Yet crisis response isn’t conducive to thoughtful security design. The trouble is, with greater support comes greater time pressure and greater expectations.
The Quartz Crisis
A case study in turning crisis into strategy way the Swiss watch makers ASUAG/SSIH and the Quartz Crisis. The cause of the crisis was a disruptive technology which changed the game. Namely, the quartz watch movement.
The Swiss dominated the watch market. Capturing the majority of the market share in the 1950s following World War II, the Swiss built their industry on the mechanical watch movement. The movements were a feat of mechanical engineering. Beauty is a set of precise gears and levers operating in lock step. The watch was a matter of national pride — and rightfully so.
Then came the quartz watch movements. Cheaper. Simpler. At first, serious watch makers looked down on these upstarts. But by 1970, quartz watches were disrupting the industry. The crisis hit the Swiss hard. Bankruptcies. Unemployment. By the early 1980s, two-thirds of the Swiss watch industry had evaporated.
Then, in 1983, ASUAG and SSIH merged and set a course for becoming the Swatch Group in 1998. Yep. That Swatch.
Swatch was the cool kid watch for those growing up in the 1980s. It was bright. It was colorful. Swatches were affordable without feeling cheap, Swiss prestige without feeling stodgy.
This led to a cultural shift. Before Swatch, a Swiss watch was a gift given on a major life milestone. The watch was unwrapped then tucked away, taken out for special occasions, carefully (or not so carefully) wound and set, and then placed back in the box afterwards.
With the Swatch, people used watches for everyday style. It became common for people to have a few, in different colors and patterns. Sometimes people wore several watches at once. Swatch was a form of rebellion and a form of personal expression. The eighties were a crazy time.
“We talked about companies like Swatch—companies that broke the rules—that viewed technology as a way to the consumer, not the consumer as the path to the technology.”
The good thing about crisis is that it gets the ball rolling. The danger with crisis is people taking short term action without an eye towards a bigger vision.
We can tell when a security program has been built by crisis. There are many great things being done, but they don’t integrate or connect. The security products purchased in response to an event tower above the rubble like well-funded monuments in an under-funded abandoned development.
When the Quartz Crisis hit, look at what ASUAG and SSIH did not do:
- Double-down on what they’ve always done – they developed a Swatch not another expensive heritage watch
- Give up what their strengths – Swatches brought Swiss quality to the Quartz watch market segment
- Respond in isolation – the Swatch strategy tapped into a cultural moment, and that success was directed to provide a comprehensive product strategy
- Ignore the workforce – early profits from Swatch went to engineering talent, shoring up the profession
Sure, the Swatch was more engaging, was simpler, was more affordable, was more fun. But what made Swatch a successful response to the crisis was that the watch was tied to an overall strategy. It wasn’t an isolated action. The Swatch was well-built cog in the ASUAG/SSIH mechanism.
The Crisis Business Case
When the business case is to address the crisis, build a Swatch.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.Posted by