The ability of security leaders to abstract out technology and put decisions in terms of business outcomes is critical to their success in a modern risk-based world
While IT, and most businesses, have been focused on operational excellence for the past 20-30 years, Gartner analysts said it’s time security leaders put the focus on customer experience.
“Today, the battle ground for the digital industrial revolution is the customer experience,” said Leigh McMullen, research vice president at Gartner. “It’s not about cost; it’s not about efficiency; it’s not even about product. It’s about experience.”
Everyone is a big digital consumer, and in this digital world, users expect customization to all their preferences. For security leaders, this means giving up some control, and it is resulting in the nexus of the cultural clash. This clash is taking place when risk issues are passed from the business department to the security department, with the expectation that the security team will deal with the problem. Gartner analysts said the key to changing this relationship is engagement.
“We as security people want things to be controlled,” said McMullen. “We want them stable, but people’s expectations are being set by forces outside our control, which means we (security leaders) need to change how we engage if we want to be successful. We have to give up control to gain influence.”
Create an Effortless Experience
The experience that customers are looking for is an effortless experience. The analysts pointed out that effort, not satisfaction or net promoter score, is the best predictor of future buying behavior.
“Security should not wreck the customer experience, but it often does,” McMullen said. “Customers, and that is everyone in your enterprise, want the effort they put in to match the value they expect to get. If you deliver the wrong experience, they’ll just tune you out.”
Gartner has identified five things security and risk leaders can work on now to create a better experience for their executives. They include:
Actually speak to executives about things that matter to them. Gartner analysts said studies have shown that fear of risk and security is materially impacting innovation.
“Organizations are slowing down because they fear this issue,” said Paul Proctor, vice president and distinguished analyst at Gartner. “If you can improve their comfort and understanding of risk and security, you can help your company move faster. That is truly a business value of security.”
Proctor said it’s important for security leaders to talk to business leaders about what matter to them. Show them how their business outcomes are directly dependent on technology. He said security leaders need to engage with business executives over things those executives think are important.
Help executives with their decisions through operationally focused risk assessments. To help business executives, Gartner recommends that security leaders start with a business process and conduct interviews with the people who execute that process.
Gartner analysts shared an example of a police department that has created an operationally-focused risk assessment process that takes two weeks, delivers summary recommendations in a business-focused context, and requires a non-IT executive decision maker to act on the results.
“Offering executives decision-making in the context of operational outcomes makes these engagements more than interesting to them. It directly impacts the decisions they make,” Proctor said. “You are now helping them do their job.”
Create defensibility for your executives. Executives do not directly control technology risk and security. However, when an organization gets hacked, the public wants executives to face consequences for the security breach.
“We have treated security like a dark art for so long that when an organization gets hacked, people don’t understand,” McMullen said. “So, the primary question is, ‘Who screwed up?’ You can’t guarantee the organization won’t get hacked, so stop selling your executives protection, and start selling something they truly need, defensibility.”
Take tech out of your conversations. The ability of security leaders to abstract out technology and put decisions in terms of business outcomes is critical to their success in a modern risk-based world. Gartner analysts said security leaders need to understand their company’s business model.
“When we talk about technology risk and security, primarily in technology terms, stakeholders treat us like wizards who cast spells and protect the organization,” Proctor said. “Making risk and security more transparent and business-aligned is an absolute requirement to get you out of the wizarding world.”
Move from project to product management. Project management is something security leaders have always done. They prioritize and fund activities. For example, there are start times, execution gates, implementation, acceptance testing, integration, and deployments included in project management. There is a beginning and an end.
In product management, everything is continuous. Typically, it’s organized around a business process, and the IT requirements to support that business process. For example, in an insurance company, a product line could be underwriting, and in a risk and security context, underwriting needs access to control, perimeter protection, threat and vulnerability management, handling and treatment of sensitive data continuously. There is no end date.
“Doing these five things will improve executive experience, their perceived value, and result in a better, more appropriately protected organization,” Proctor said.