April 9, 2012    /    by

Delivering Cybersecurity With Customer Focus: Who, When, Where and How

So how can this customer service theme work for security professionals? Allow me to tell you a true story.

Every manager has a day like this at some point.

It was in late spring of 2009, and I was having one of those “open and honest” conversations with my Infrastructure Services (IS) Leadership Team regarding how things were really going with internal organizational relationships. I had moved over from the Chief Information Security Officer (CISO) role to become the Chief Technology Officer (CTO) a few months earlier, and this was the moment that I later declared to my wife that my “infrastructure honeymoon period” was officially over.

How did I get to this point? You know the drill. My boss wasn’t happy with certain projects that were running late. I needed to get to the bottom of the situation.  I assembled several direct reports and my project management office leaders for a “clear the air” meeting.   I wanted to know why various schedules and deliverables were in their present state. How did we get into this mess? Why were certain projects on track while other areas seemed to be treading water? What was holding up our progress? 

Yes, I did my homework and was well-prepared for the meeting. I delivered my 10-minute “opening speech” perfectly. But after I was finished, I was not prepared for what came next.

After a long silence, one person spoke up, “You’re not going to like the answer because of your previous role. It’s complicated, but one of the biggest reasons is security…. There are other problems as well, but we can’t nail down the technical architecture with security holding things up….”

[Note: At this point, several respected project managers provided specific details and examples of the difficulties. This went on for another 10 minutes or so. Listening to this was painful, humbling and a far cry where I expected the conversation to go.]

I responded defensively: “Let’s back up a minute. What do you guys really think about our security organization? Forget that I came from there. I have thick skin. Tell me what you really think….”  

Oops, I had inadvertently opened up Pandora’s box. Like popcorn, the answers started flying from around the room…

“Security always says no.”

“Security doesn’t offer us options.”

“Security has a chip on their shoulders.”

“We don’t really know them – very well.”

“There are a few superstars, but overall they’re a bottleneck.”

Eventually, the guilt started kicking in as the faces dropped around the table ….

“Well, it’s not all their fault, we know they want to do the right thing.”

“They are passionate and care about protecting us. But … you know….”

“It always seems like we’re in WIN-LOSE or LOSE-WIN situations and rarely a WIN-WIN with security.”

Wow… I wasn’t expecting this…

Over the next few months, I thought quite a bit about that conversation. That meeting exchange eventually compelled me to write the CSO Magazine article: “Why security pros fail (and what to do about it)” about six months later.  You can see the same material in this slide format as well that I used to present at SecureWorld and MS-ISAC conferences over the past eighteen months.

 Looking back, I can see so many blind spots that I had in both my CISO and CTO roles. (No doubt, I have new blind spots now as CSO.) One of the biggest lessons was this: Every part of ICT organizations must have a customer-service attitude and perspective to succeed.  Working out the details of what that means is a difficult, but essential, exercise that we all must go through.

No doubt, there are obvious aspects to customer service, but it takes much more effort to exceed expectations in the way that David Behen described in his hotel customer service experience described in my last blog. That kind of experience doesn’t happen by accident, and I’m sure that an enormous amount of thought and training went into the approach that was used by that hotel.

So how can this customer service theme work for security professionals? Here’s a summary slide from my CSO Magazine article on overcoming security career obstacles:

 

If you’re a security pro and you’ve never seen this material before, I urge you to go back and read that CSO article or the longer blog series. If you really care and desire to improve, it’s going to take perseverance and a disciplined approach. As we discussed last time, customer service is everyone’s responsibility. While we never fully “arrive” at customer service perfection, we can all strive to improve this area of our security team leadership.

We can also strive to be “lifetime learners,” and not only in matters related to new technology and security developments. Here’s an excerpt from the series on problem 7:

We all need to learn the power of the Pareto principle, which states that 80 percent of the effect of our work comes from 20 percent of the causes. In John C. Maxwell's book Leadership 101: What Every Leader Needs to Know, he describes the power of the Pareto principle at work. Here are a few examples:

-          20 percent of your time produces 80 percent of your results.

-          20 percent of the people take up 80 percent of your time.

-          20 percent of your work gives 80 percent of your job satisfaction.

-          20 percent of the people will make 80 percent of the decisions.

-          20 percent of the presentation produces 80 percent of the impact.

Maxwell goes on to point out that we need to develop skills in four areas to be successful and maximize our effectiveness: attitude, relationships, equipping and leadership. But many security pros have given up trying to on improve at all, or only work on improving technical skills.”

Without this broader customer perspective, security is nothing more than a roadblock. The sad truth is that roadblocks eventually get removed one way or another, once they have served their purpose.  

Next time, I’ll wrap-up this mini-series on security customer service with some thoughts on balancing easy to use business functionality and security controls that likely slow users down. Or put another way, can IT security actually introduce risk by being too controlling rather than a team player?  

Do you have any thoughts or examples to share on security customer service?