Delivering Cybersecurity With Customer Focus: Who, When, Where and How

So how can this customer service theme work for security professionals? Allow me to tell you a true story.

by / April 9, 2012 0

Every manager has a day like this at some point.

It was in late spring of 2009, and I was having one of those “open and honest” conversations with my Infrastructure Services (IS) Leadership Team regarding how things were really going with internal organizational relationships. I had moved over from the Chief Information Security Officer (CISO) role to become the Chief Technology Officer (CTO) a few months earlier, and this was the moment that I later declared to my wife that my “infrastructure honeymoon period” was officially over.

How did I get to this point? You know the drill. My boss wasn’t happy with certain projects that were running late. I needed to get to the bottom of the situation.  I assembled several direct reports and my project management office leaders for a “clear the air” meeting.   I wanted to know why various schedules and deliverables were in their present state. How did we get into this mess? Why were certain projects on track while other areas seemed to be treading water? What was holding up our progress? 

Yes, I did my homework and was well-prepared for the meeting. I delivered my 10-minute “opening speech” perfectly. But after I was finished, I was not prepared for what came next.

After a long silence, one person spoke up, “You’re not going to like the answer because of your previous role. It’s complicated, but one of the biggest reasons is security…. There are other problems as well, but we can’t nail down the technical architecture with security holding things up….”

[Note: At this point, several respected project managers provided specific details and examples of the difficulties. This went on for another 10 minutes or so. Listening to this was painful, humbling and a far cry where I expected the conversation to go.]

I responded defensively: “Let’s back up a minute. What do you guys really think about our security organization? Forget that I came from there. I have thick skin. Tell me what you really think….”  

Oops, I had inadvertently opened up Pandora’s box. Like popcorn, the answers started flying from around the room…

“Security always says no.”

“Security doesn’t offer us options.”

“Security has a chip on their shoulders.”

“We don’t really know them – very well.”

“There are a few superstars, but overall they’re a bottleneck.”

Eventually, the guilt started kicking in as the faces dropped around the table ….

“Well, it’s not all their fault, we know they want to do the right thing.”

“They are passionate and care about protecting us. But … you know….”

“It always seems like we’re in WIN-LOSE or LOSE-WIN situations and rarely a WIN-WIN with security.”

Wow… I wasn’t expecting this…

Over the next few months, I thought quite a bit about that conversation. That meeting exchange eventually compelled me to write the CSO Magazine article: “Why security pros fail (and what to do about it)” about six months later.  You can see the same material in this slide format as well that I used to present at SecureWorld and MS-ISAC conferences over the past eighteen months.

 Looking back, I can see so many blind spots that I had in both my CISO and CTO roles. (No doubt, I have new blind spots now as CSO.) One of the biggest lessons was this: Every part of ICT organizations must have a customer-service attitude and perspective to succeed.  Working out the details of what that means is a difficult, but essential, exercise that we all must go through.

No doubt, there are obvious aspects to customer service, but it takes much more effort to exceed expectations in the way that David Behen described in his hotel customer service experience described in my last blog. That kind of experience doesn’t happen by accident, and I’m sure that an enormous amount of thought and training went into the approach that was used by that hotel.

So how can this customer service theme work for security professionals? Here’s a summary slide from my CSO Magazine article on overcoming security career obstacles:

 

If you’re a security pro and you’ve never seen this material before, I urge you to go back and read that CSO article or the longer blog series. If you really care and desire to improve, it’s going to take perseverance and a disciplined approach. As we discussed last time, customer service is everyone’s responsibility. While we never fully “arrive” at customer service perfection, we can all strive to improve this area of our security team leadership.

We can also strive to be “lifetime learners,” and not only in matters related to new technology and security developments. Here’s an excerpt from the series on problem 7:

We all need to learn the power of the Pareto principle, which states that 80 percent of the effect of our work comes from 20 percent of the causes. In John C. Maxwell's book Leadership 101: What Every Leader Needs to Know, he describes the power of the Pareto principle at work. Here are a few examples:

-          20 percent of your time produces 80 percent of your results.

-          20 percent of the people take up 80 percent of your time.

-          20 percent of your work gives 80 percent of your job satisfaction.

-          20 percent of the people will make 80 percent of the decisions.

-          20 percent of the presentation produces 80 percent of the impact.

Maxwell goes on to point out that we need to develop skills in four areas to be successful and maximize our effectiveness: attitude, relationships, equipping and leadership. But many security pros have given up trying to on improve at all, or only work on improving technical skills.”

Without this broader customer perspective, security is nothing more than a roadblock. The sad truth is that roadblocks eventually get removed one way or another, once they have served their purpose.  

Next time, I’ll wrap-up this mini-series on security customer service with some thoughts on balancing easy to use business functionality and security controls that likely slow users down. Or put another way, can IT security actually introduce risk by being too controlling rather than a team player?  

Do you have any thoughts or examples to share on security customer service?

 

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso