How Security and IT Can Leverage the Secrets to CX Success

Here at Kenna Security, I spend my days ensuring my team helps our customers get the most from their investment in Kenna Security. I believe our dedicated approach to delivering a superior (Customer Experience) CX has been an important success factor for Kenna, and it sets us apart from our competitors. 

A good CX team not only works to keep customers engaged and satisfied, but it also allows us to identify opportunities to improve our cybersecurity software offerings. Every moment that our Customer Success Engineers, Customer Success Managers, and Technical Support Engineers are working with customers is an opportunity for us to receive important feedback and helpful new ideas that we can take back to our Product Management and User Experience (UX) teams to make our solutions even better.

Security and IT: CX by another name?

Lately, I’ve been thinking how much my CX team has in common with Security and IT teams. In fact, I would go so far as to argue that Security and IT departments are basically CX teams in disguise. Just like any business, Security and IT have customers they need to satisfy: internal stakeholders and leadership, each with their own needs, challenges and expectations.  

In addition to solving technical problems to protect your infrastructure, networks and applications, it’s critical to engage your internal stakeholders every step of the way, garner their feedback, and look for situations where you can add more value–all classic CX efforts. And if you’re successful, that certainly won’t hurt your own team’s internal reputation as a high-performing, get-it-done squad in your company. (Think how that will help when it comes time to securing additional budget or compensation upgrades for your hard-working pros.)

Best practices for your back pocket

Unfortunately, they don’t teach CX in computer science classes. Since you probably already have access to the tools you need to deliver security success, I’d like to instead share some CX best practices that could help you improve engagement with your internal stakeholders so you can keep your “customers” happy and coming back for more–and help burnish your own enterprise cred.

• Start by realizing that providing a service means serving people. When you’re in a technical function, it’s easy to view your work from a purely technical perspective: “We have 400 high-risk vulnerabilities to patch over the next 30 days, so we’ll need to generate fix lists and service tickets, and then track and report on progress.” This is all critical, of course. But faced with the daily flow of technical to-dos, Security and IT managers understandably forget that cybersecurity isn’t just a technology matter. It’s a human one. Because their success often relies on yours, it may be helpful to view your relationship with these stakeholders as a partnership. After all, you really are in this together.

• Help your customers by helping them to define success. You would never undertake a major infrastructure initiative without knowing what you’re trying to accomplish. Just like you might judge a network upgrade on how much it will increase bandwidth or availability, you need to work with your internal stakeholders to define what success means for them. Keep in mind that your definition of success may look different than their definition. Your vulnerability management Key Performance Indicators (KPIs) might be the number of high-risk vulnerabilities closed over a given period. But your customers might care more about reducing downtime or ensuring their operations and applications are minimally impacted by fixes, so they can make their own bosses happy.   

• Set, measure and meet expectations. The secret to a great customer experience is simple: deliver the experience your customers expect. While it’s laudable to want to go above and beyond, the fact is that most people just want things to work as they should. (Security and IT managers know the drill: you only hear from customers when things go wrong.) So if you can deliver what you say you will and avoid any unexpected surprises, your stakeholders will likely be just as happy as if you over-deliver on a project. For IT and Security teams, that means creating internal SLAs that mean something to your various customer groups. For instance, those working to manage and mitigate vulnerabilities can set risk-based service-level agreements (SLAs) that define in writing the risk tolerance of your stakeholders, their asset priorities, and the vulnerability risk score they expect to achieve. Once these SLAs are agreed to by both you and the internal stakeholder, it removes any confusion about what to expect (i.e., no one will hold you to 0% vulnerabilities unless that’s what you agree to–though if your sanity and survival mean anything to you, I wouldn’t recommend it). It will also help you prioritize the time, effort and people it will take to meet those expectations so you don’t pour resources into efforts that deliver diminishing returns.  

• Prioritize customer service. For internal stakeholders, dealing with IT and Security shouldn’t feel like going to the DMV. Remember, they’re your customer. Focus your teams on delivering fast, responsive service when an employee has a question or needs help. One way to improve customer service is to enable customers to help themselves, where applicable, through self-service. In the CX world, that can mean creating knowledge bases, utilizing chatbots, or creating automated helplines people can use to complete common tasks. For IT and Security, a self-service experience might mean providing the tools and support your AppSec team needs to proactively remediate application risk, identify threats, and add new capabilities without having to call or send an email. 

• Demonstrate your success. My job would be much easier if I could just say “trust me” and my customers say, “Sure thing.” But we live in the real world–and in the real world, you have to continually show your work, demonstrate the progress you’ve made, and communicate where you are going next. For IT and Security, this can mean using real-time dashboards that show, for instance, the current risk level and how trends change over time. In addition, satisfaction surveys and internal NPS scoring can help benchmark satisfaction levels and demonstrate success when it comes time to secure additional budget or sell new projects. 

By thinking about stakeholders as customers to satisfy rather than simply viewing them as people who come to you with problems or additional work, you can deliver a customer experience that frankly few IT or Security teams bother to achieve. As a result, you’ll be able to create security and technology advocates across the business–from individual users to the CEO–who will be invested in helping you succeed. 

Because that’s the other CX secret: The more you make your customers’ lives easier, the easier they can make life for you.