Peter Cerrato is a principal consultant for Forrester's Business Technology consulting practice.
A very strange and sudden thing happened 66 million years ago. A comet crashing into the Mexican Yucatan peninsula near Chicxulub put an end to the long reign of the dinosaurs. But not so fast. We now know that some of those dinosaurs survived the massive Cretaceous-Tertiary extinction event: the smaller, faster, feathered and headed-toward-warm-blooded early ancestors of our eagles and hawks.
What can we as security and risk professionals learn from those early ancestors of today’s great raptors (and other birds) to make the leap required to survive the massive extinction event the business world is undergoing: the age of the customer?
In the age of the customer, any part of your business that does not directly drive revenue and growth is ripe for disruption. If you cannot explain clearly and succinctly to your leadership why information security is more than just another cost center, why it must become an integral part of what makes your brand trusted by your customers, then you will face either sudden extinction or death by a thousand slow budget cuts. Sure, speaking the language of fear may get you short-term attention but very soon you will be asked to prove that all the capital invested in shiny new security technology actually was well spent. Learning now how to make the leap from an internally-focused Information Technology mindset to an externally-focused Business Technology mindset is the only way to thrive in this new environment.
How to make the leap
Let's get started with three things that we can do today to plant the seeds not only for our survival but for our ability to thrive in the age of the customer:
Get out and walk the halls. Go and spend some time with your chief marketing officer, the leader of your customer service team, the folks listening closely to what your customers are saying and ask them how you can help make their jobs easier and increase customer trust.
Apply your risk management and analytical skills to customer-facing challenges. Your chief marketing officer’s customer experience team is (hopefully) busy mapping your customers' journey and touchpoints as they navigate their interactions with your products and services. Now is the time to bring your risk management skills to the table to help identify risks and strategies for addressing them at each point in this lifecycle.
Plan for failure. The startup founders' motto is “fail fast, fail often”. But hidden inside that message is the key to success: listen closely to the signals your customers are sending you. Develop a continuous dialogue with the community that drives revenue and growth for your business. This is never more important than when you are dealing with a crisis. Plan ahead and know what to say to your customers when the time comes and your defenses fail.
What to focus on
In our consulting engagements, our clients are are voicing their customer-facing security and risk challenges with a refreshing sense of urgency.This tells me that forward thinking security leaders are taking seriously the importance of the outside-in perspective to the success of their businesses. Three areas that we are hearing about a lot these days are federated identity, brand resilience and business-centered metrics:
- Addressing customer-facing identity issues. A company that provides technical information to over 500k customers from both educational institutions and private industry needed a clear strategy for addressing the lack of a standard identity and authentication method across a large number of product sites and applications. Navigating the rapidly evolving landscape of protocols and standards for federation, non-intrusive authentication and the elimination of passwords was a critical first step. Defining clear architectural principles, frameworks and solution models then became a gateway for increased efficiency. The results of this strategic and architectural work will drive customer retention for years to come.
- Supporting brand through well-planned crisis management.Clients are asking us to provide detailed guidance on the external facing component of breach incident response. Financial institutions in particular are recognizing that even the most mature and sophisticated security operations team may one day be faced with a breach of customer or employee data that requires a well thought out and timely series of communications. Bringing all the stakeholders together from legal to corporate communications and documenting the steps to be taken in a crisis can make a difference when it comes to how your customers react to the news of the breach.
- Producing metrics that matter to executive decision makers. Government agencies in particular have been coming to us lately looking for a way to structure their security program reporting metrics. While there is no one-size-fits-all approach there are some key steps we recommend, starting first with developing strong situational awareness followed by choosing metrics that align with how your business measures value.
Don’t be fooled by the current climate of heightened awareness due to the latest string of high-profile breaches. Ultimately your board of directors and the shareholders they speak for demand results in this new marketplace where power has shifted to the customer. The role of chief information security officer is rapidly evolving. You must learn to evaluate your own skills and relationships through the lens of the business technology agenda by focusing on how you can earn and maintain the trust of your customers or risk going the way of the dinosaurs.
Watch this space for more posts from Forrester consultants on how our clients are making a shift to a customer obsessed business technology agenda.