In a digital world, the focus is on CX not security. Source: Shutterstock

5 steps to building a good CX for business security

BUSINESSES often struggle to build in security features that everyone follows.

Sometimes, this is because IT specialists decide what’s right for the organization arbitrarily instead of understanding how its employees function.

So, according to Gartner, it’s time for IT to shift focus from operational excellence and put more thought into internal customer experience (CX).

Everyone is a big digital consumer, and in this digital world, users expect customization to all their preferences. For security leaders, this means giving up some control, and it is resulting in the nexus of the cultural clash.

This clash is taking place when risk issues are passed from the business department to the security department, with the expectation that the security team will deal with the problem. Gartner analysts said the key to changing this relationship is engagement.

“We as security people want things to be controlled. We want them stable, but people’s expectations are being set by forces outside our control. Which means we (security leaders) need to change how we engage if we want to be successful. We have to give up control to gain influence,” explained Leigh McMullen, Research Vice President at Gartner.

The experience that customers are looking for is an effortless experience. The analysts pointed out that effort, not satisfaction or net promoter score, is the best predictor of future buying behavior.

“Security should not wreck the customer experience, but it often does,” Mr. McMullen said. “Customers, and that is everyone in your enterprise, want the effort they put in to match the value they expect to get. If you deliver the wrong experience, they’ll just tune you out.”

To help specialists, Gartner proposed 5 steps that will ensure a stellar CX:

Speak to executives about things that matter to them:

“Organizations are slowing down because they fear this issue. If you can improve their comfort and understanding of risk and security, you can help your company move faster. That is truly a business value of security,” said Paul Proctor, Vice President and Analyst at Gartner.

Proctor said it’s important for security leaders to talk to business leaders about what matter to them.

Show them how their business outcomes are directly dependent on technology. Security leaders need to engage with business executives over things those executives think are important.

Help executives with their decisions through optimally focused risk assessment:

To help business executives, security leaders should start with a business process and conduct interviews with the people who execute that process.

“Offering executives decision-making in the context of operational outcomes makes these engagements more than interesting to them. It directly impacts the decisions they make. You are now helping them do their job,” suggested Proctor.

Create defensibility for your executives:

Executives do not directly control technology risk and security. However, when an organization is hacked, the public wants executives to face the consequences.

“We have treated security like a dark art for so long that when an organization gets hacked, people don’t understand. So, the primary question is, ‘Who screwed up?’ You can’t guarantee the organization won’t get hacked, so stop selling your executives protection, and start selling something they truly need, defensibility,” explained McMullen.

Take tech out of the conversation:

Security leaders must have the ability to abstract out technology and put decisions in terms of business outcomes if they want to succed in a modern risk-based world. Security leaders need to understand their company’s business model.

“When we talk about technology risk and security, primarily in technology terms, stakeholders treat us like wizards who cast spells and protect the organization. Making risk and security more transparent and business-aligned is an absolute requirement to get you out of the wizarding world,” suggested Proctor.

Move from project to product management:

Security leaders manage projects, they prioritize and fund activities. However, this now needs to shift to product management.

For example, there are start times, execution gates, implementation, acceptance testing, integration, and deployments included in project management. There is a beginning and an end.

In product management, everything is continuous.

Typically, it’s organized around a business process, and the IT requirements to support that business process.

For example, in an insurance company, a product line could be underwriting, and in a risk and security context, underwriting needs access to control, perimeter protection, threat and vulnerability management, handling and treatment of sensitive data continuously. There is no end date.