While a smartphone easily has become an indispensable piece of personal technology, making smart decisions about business technology investments is a huge challenge. For insight on navigating data security, digital analytics and other current technology issues, Twin Cities Business consulted with six key experts.

On the security front, we solicited advice from Jeff Olejnik, CEO of Assurity River Group in Minneapolis, and Garrett Dietrick, information technology (IT) governance, risk and compliance leader for Secure Digital Solutions, a Minneapolis firm.

Tom Belle, president and CEO of the Gage marketing firm, Plymouth, offers guidance on social media and digital analytics. Tim Letscher, director of digital strategy and analytics at Colle McVoy in Minneapolis, also tackles web-related business issues.

On a host of business technology topics, we turned to two professors with extensive experience in this area. They are Brad Rubin, associate professor of graduate programs in software, University of St. Thomas, and Ravi Bapna, professor of information and decision sciences, University of Minnesota. Bapna also is co-director of the university’s Social Media and Business Analytics Collaborative.

Avoiding a Target-sized data breach

TCB: In light of the data breach at Target and other retailers, how are you seeing American retailers and other businesses fortifying their data security systems?

JEFF OLEJNIK: With all of the high-profile data breaches, it has become evident that all businesses are a target and that data breaches are inevitable. Historically, companies spent the majority of their resources on controls to prevent a breach, like firewalls and anti-virus investments, and not enough on detection and response. Understanding that prevention is not possible 100 percent of the time, companies need to invest resources on detecting and responding to data breaches to minimize the impact.

Additionally, companies are investing in routine security assessments and penetration testing. They are hiring “white hat” hackers to circumvent security controls to try to identify weaknesses before they are discovered by cybercriminals.

GARRETT DIETRICK: Target is like any business that has data valuable to someone bent on obtaining it. Whether the information is credit card, financial or health care data, it has value that can be exploited for financial gain. The value of data determines the effort cyber-thieves will take to obtain it—and also the effort businesses should make to safeguard it.

Retail breaches have been front and center recently. However, I believe most businesses are still in a mindset of risk avoidance, thinking, “It won’t happen to me.” Their current budgets are allocated for revenue generation programs, but not for shoring up security measures.

My strong recommendation is that businesses at least get an outside assessment to determine their “security maturity posture”—the strengths and weaknesses of their current security efforts. They’ll gain a clearer picture that pinpoints areas for improvement—along with an understanding of where to allocate their spending.

RUBIN: Retailers are in the business of selling goods, so any money spent on security is a drag on the bottom line. The ideal is to minimize the security expense while providing sufficient protection. Security is hard [to gauge] since it is clear when not enough is done, but it isn’t clear when too much is done, and the pressure is always on minimizing this expense.

Fortification requires a constant re-examination of risks, risk mitigation processes and technologies, the threat environment and employee skills. This re-examination should also be done with simplification in mind, because piling on more technology not only increases expenses, but the increase in complexity can actually decrease protection by creating usability and interoperability problems.

CEO creates the security culture

TCB: How can CEOs and presidents of companies educate themselves in broad terms about data security, so they know enough to ensure that their companies have good systems in place?

BRAD RUBIN: The CEO shouldn’t be the security leader, but must set priorities and the right tone. Businesses routinely, often with little debate, make the proper investments in technology, processes and people to ensure no one can abscond with $1 billion in corporate cash.

These days, data liability can meet or exceed traditional sources of exposure. CEOs should understand, quantify and clearly communicate the financial and image risks of data security breaches and ensure that security expense discussions are focused on maximizing efficiency of protection, and not just minimizing cost.

They need to demonstrate their interest and commitment by constantly asking questions and monitoring security activity. They need to reward those who prevent crises, not just the firefighters who extinguish them. They also need to set a good personal example by following the same corporate procedures required of their team.

DIETRICK: Start by recognizing a real risk to the bottom line. Currently, the cost of a data breach in the United States averages $201 dollars per record. Organizations need to understand the value of what they’re trying to protect and allocate a proportionate investment to securing it.

OLEJNIK: CEOs know what the “crown jewels” of the organization are. It could be information that gives a competitive advantage, like intellectual property, customer lists or patents. Or it could be data that would be devastating to an organization if it got into the wrong hands, like credit cards, financial information or health records.

Security culture starts at the top. CEOs should get involved to understand the company’s risks so that they can make informed decisions. CEOs should ask:

• What resources have been allocated to security (budget and personnel)?
• Where is our critical data or “crown jewels”?
• Who has access to it?
• How are we protecting it today?
• Have we conducted tests to evaluate our controls?
• How are we training our employees on protecting corporate assets?
• Where are we at risk?

Vetting ‘cloud’ providers

TCB: With greater emphasis on “the cloud,” do you have data security concerns associated with employees using the cloud for storing some of their work documents?

OLEJNIK: Absolutely. If an employee moves corporate data off the network to a cloud provider, that data is now out of the company’s control. Companies should have clear policies on acceptable use of company data, including the use of cloud providers. They should only allow access to cloud providers that have been properly vetted and approved by the company.

DIETRICK: While cloud-based services are a convenient way to store and access company data, they’re also attractive to cyber-thieves. Make sure your cloud-based service provider puts a high priority on security. The vendor should meet or exceed your internal standards for safe data management, and be willing to go through an assessment for the potential risk they pose.

The main concern today with cloud-based services involves the use of mobile devices and how users of tablets and smartphones can access the corporate data repository via a cloud. Companies need to ask: What data are synchronized? How are they protected? Do other people have access to data? And are employees’ home personal computers protected the same as those at work? The answers should drive your security policies and investments.

RUBIN: A cloud provider that heavily invests in security expertise and technology can often offer better protection than in-house solutions, so it can make sense to shift risk to the cloud.

However, moving important data assets to a third party doesn’t eliminate the risk of compromise, and the loss of control and audit over sensitive data creates an offsetting risk. One solution is to make sure that data are encrypted before moving to the cloud, so companies can reap the economic and convenience benefits of the cloud, without having to totally trust it.

Security: People vs. Technology

TCB: In a layperson’s terms, what kinds of product innovations are surfacing that will enhance data security management?

RUBIN: I tell my students that security is more of a people problem than a technology problem. If you look at the root cause of most security breaches, you will usually find a human issue such as having a password of 123456, reusing the same password on multiple systems, opening an attachment from a stranger, misconfiguring security systems, ignoring security warnings, not updating software, or divulging sensitive information to unauthorized emails, websites, surveys or phone callers.

Adding more products that harden one route of attack often causes attackers to just find another route, and the easiest route for most attackers is through a human.

In my view, investments in education, training and technology to harden the human [element], making it easy for people to do the right thing and to detect when they don’t, are some of the best, yet often most overlooked, opportunities for enhancing security. There is not now, nor will there ever be, a security silver bullet.

Crafting a Social Media Strategy

TCB: In an environment in which social media is so prevalent, virtually every type of business is attempting to have a strong social media presence. What are the considerations that companies need to address before devising a social media strategy that works for them?

TOM BELLE: First, marketers need to define their objective or the problem they’re solving and the result they would like to achieve from the investment in social media. Then identify gaps in their current marketing that can be addressed via social media that are succinct and measurable.

From there, start small with measurable tests to identify what is working and what is not. Learn from those tests, then grow and scale with each subsequent success.

TIM LETSCHER: A business first needs to ask: “How does a particular channel help us reach a business goal and how does it fit into our overall ecosystem?” They need to stay focused on what meets their business goals. Second, and just as critical, is to align with how consumers are actually behaving within social media. What are their needs and how will your business help?

Approaching social media as an entity in and of itself can cause businesses to miss a lot of opportunities. The whole business needs to contribute to social media (paid, earned and owned content). Businesses need to consider the entire ecosystem and how it plays into social. Social media is marketing, CRM (customer relationship marketing), crisis communications, culture, recruitment and more. Consider how social media can help with thought leadership, sales or customer service and decide what channels make the most sense.

When a business listens first, they will quickly realize that what their audiences are doing through social media is nothing new. There has always been word-of-mouth, always been third-party evaluations of company products and services. What’s different now is the relative ease and speed with which each individual instance can be generated, shared and, in turn, reviewed.

Leveraging Data That Drives Business

TCB: In the era of big data, many companies are awash in information. When you work with a company to determine what data it needs to gather and how to analyze that data, how do you approach it so it doesn’t become overwhelming? How do you decide what’s relevant vs. being buried in numbers that are not important to successfully leading a business?

BELLE: Data can help an organization be smarter, more effective and can drive incremental benefit and value for customers and prospects. While “big data” is a common theme in 2014, the best approach is test and learn.

Digital marketing provides organizations access to data in unprecedented quantity, at warp-speed accessibility. This combination of speed and quantity enables marketers to quickly create small tests to learn how to leverage data that drives business.

A best practice is to use an iterative approach with big data; don’t jump into the deep end right away. This allows marketers to determine what data are needed to accomplish the initial tests and won’t create the drinking-from-the-firehose effect caused by the sheer volume of data amassed.

LETSCHER: Data are important, but data are people. Humanize the data and tie it to business goals. Otherwise it’s simple to get caught chasing “interesting” metrics that divert time and resources from “relevant” metrics.

Data are merely building blocks, but you still need analysts to understand what the data means. For instance, a bounce rate is an important metric for a web page, until it’s not. Taken at face value, a high bounce rate indicates poor performance, but maybe that page successfully answers a question for millions of people who don’t need to go any deeper within your site. [A bounce rate is considered when analyzing website traffic. A visitor bounces when viewing one web page and then leaves the site.]

So with data, take a step back and ask: what are you actually trying to find out? Data matters but data is not your goal. Your goal is your goal.

Finding Yin-Yang Social Capabilities

TCB: What kinds of companies are doing a good job using social media to increase their sales? Does virtually every business today need a strong social media presence? Why?

RAVI BAPNA: Social media is here to stay. For Gen Y and Z, using social media ,particularly on mobile devices, is a natural element of their existence. For society, and, by extension, for companies, what this means is that many of our day-to-day social processes—say consuming media, or interacting with friends, or finding dates—are now digitized at the micro-level. This deep granularity of data around our key day-to-day social process requires a different managerial approach and skill set to leverage.

Companies that derive higher-order returns from social media need to have a set of what I call yin-yang capabilities. They have to be creative, genuine and authentic on one hand. This has to be matched with the ability to handle big data and sophisticated econometric and machine learning-based analytics.

It goes without saying that social media is more valuable to B2C [business-to-consumer] companies, at least from the point of view of playing offense. B2B [business-to-business] companies can, however, be subject to attacks from social media, and need to play good defense.

TCB: If a company is attacked, justly or unjustly, on social media, does the business need to communicate its response both on social media and traditional media platforms to repair harm to its reputation?

BAPNA: Yes, it’s essential to be on the same media that you are being attacked from. The best strategy here is to have your force multipliers— other consumers who will speak up in your defense. This in turn requires making long-term investments in building communities with your key stakeholders.

Apps Spur Shopping In Brick-and-Mortar Stores

TCB: In the retail sector, what are some examples of how social media and digital analytics are helping retailers stay in business when consumers are increasingly buying products online?

BELLE: A local example is the mobile app named Cartwheel from Target. The app shifted coupons from a paper-based, individual experience to one that is digital and social. Cartwheel tracks consumers’ activity—buying, liking and sharing—and enables them to share that with friends. That way consumers can discover new offers and products through their social connections.

The app was introduced to combat the shifting consumer behavior of increasingly buying products online by delivering offers to customers’ fingertips that are relevant and wrapped in social context. Cartwheel is using social media combined with data analytics to create rich, personalized experiences that add incremental value for the customer, ultimately creating loyalty and driving foot traffic to their brick-and-mortar locations.

LETSCHER: Social media and digital analytics let us get incredibly deep and rich information about our audiences—what they are saying and doing online, whether or not they purchase what we had hoped or intended for them.

We can hone media buys, creative messaging, the products or services themselves and perhaps even the overarching strategies based on insights gleaned from this data. Native advertising [sponsored online content] continues to emerge as an essential part of the media mix, particularly as e-commerce capabilities get baked into tweets, pins [on Pinterest] and Facebook posts.

We’re starting to see the big brick-and-mortar retailers pull their head out of the sand and embrace the showrooming phenomenon by enhancing levels of service, like in-store pickup for online orders or smartphone discounts only available if you buy in-store. [Showrooming is the practice of looking at goods in stores and then leaving and buying the products online at another retailer.] Online, retailers have a limitless virtual warehouse to move leftover products, whether on their own sites or through third parties like Overstock or Woot.

Crowdsourcing to Develop Products

TCB: In a world in which technology is rapidly changing, what kinds of businesses or industries seem to be particularly adept at incorporating the latest technology to improve their bottom line business performance? How have they achieved their success?

BAPNA: Every industry has its share of leaders and laggards. A lot boils down to whether the firm has a systematic process to be scanning, evaluating and deploying technology for business advantage. Large-scale technological changes, such as deploying an enterprise-wide SAP system or leveraging big data and analytics for decision making or using an open-innovation crowd-based R&D [research and development] model, are hard because they have to be complemented with organizational change that is led by visionary leadership.

The CEO of Procter & Gamble, A. G. Lafley, was visionary because way back in 2000 he recognized that as good as P&G’s R&D innovation machine was, it would benefit the company to be open to ideas from the crowd— those outside the company that had something to contribute. [Through its corporate crowdsourcing, P&G invites people to submit their innovative ideas.]

U.S. Should Lead in Robotics

TCB: The manufacturing sector in the United States has become increasingly more productive by incorporating modern technology. Do you anticipate that this will allow the manufacturing sector to expand as technological innovations continue, or will ideas and patents spring forth in large numbers in the United States and a substantial portion of product manufacturing occur overseas where labor costs are lower?

BAPNA: Firms in a capitalist economy will always optimize on their two key inputs of production, capital and labor. In the case of labor, it means thinking of the globe as a potential pool of labor in deciding where to do what.

The United States, with its superior technological innovation engine and research climate, certainly has the opportunity to be at the forefront of bringing in order-of-magnitude changes in robotics-based manufacturing for instance. But whether this results in more manufacturing jobs here is unclear.