The Customer is Clueless – Not!

 Have you ever spontaneously started ranting about project progress – or lack thereof? Or maybe you’ve heard colleagues voice their very vocal complaints. Does this sound familiar? “Those (bleeps) just don’t get it! I seriously doubt if (a certain customer-side manager) ever graduated from high school. I’m going to hack into that (such and such) university database just to prove that he never graduated from college. His degree must be from a diploma mill….” (yada, yada, yada)

Well, perhaps you are right. You may be at the mercy of someone who is lacking brain cells, incompetent, or worse, a team of complete frauds. Then again, if you think this description seems to fit the majority of your customers both past and present, you might want to read on and reconsider a few things. That is, at least part of the real problem may have more to do with yours truly.

First, for context, this is the fourth installment of seven blogs answering the central question: why do security professionals fail? I am attempting to address some of the softer-side issues that I have seen hurt or even paralyze security careers over the past twenty-five years. Beyond gaining CISSP certifications, attending RSA conferences, developing hands-on experience with black boxes or piling up resume credentials, how can we be more well-rounded security pros?

Blog #2 asked if the virtual show fits – meaning we need to offer multiple options, if possible, and not force a single approach on everyone. Blog #3 offered up a portion of humble pie that we all need to eat every so often. The reality is that prides comes before a fall in security as in most areas of life. I also answered questions last time in a related blog which offered my definition of a security pro.

So, here we are with that annoying client. Perhaps you think this person is an idiot, but you’d never say that in public. OK, maybe you would. You’ve thought it through, and you’ve concluded that the business team doesn’t understand computer security. They don’t realize the risks they are taking. They just want to check the box quickly and move on. They won’t pay for the controls they need, and you’re being forced to try and convince the auditors to believe that you’re complying with regulations, policies and laws.

 Worse than that, you’ve now concluded that the business team will never get it. You’ve emotionally checked out of this project. This has led to a non-spoken “us versus them mentality” at most meetings. Problem is, they’ve got the money, influence and power to make things happen.

You’re tempted to go back to FUD and scare the heck out of them. You feel like punching the next person who tells you that you “lack customer focus.” You realized long ago that this client has major blind spots. There are huge holes that need to be plugged – fast. But no one seems to be listening to you. Frustration is a kind way to describe your darker feelings. The formal competency that relates to this situation could be a lack of business acumen.  But a more simple description might be:  

Problem #4 for Security Pros – The Customer is Clueless – Not!

 Truth be told, most professionals can relate to these feelings at some point in their career. I certainly can. The struggle between security and other parts of the business can even be compared to the right- left divide in politics. Whether you agree or disagree with Gerard Alexander’s viewpoint, he illustrates a perceived lack of respect from the other side. While I’m staying out of those politics, I want to point to the similar tension that is often the real elephant in the room during project meetings.  

Of course, this same customer relationship challenge applies to more than just security professionals. I recently had a meeting with a major software provider in which we discussed impediments to getting large email migration projects completed. This expert, who has successful finished dozens of major integration efforts, said something rather profound. “Yes, we always need to overcome people, process and technology issues, but they are not even close to being equal in difficulty. Over ninety percent of our project integration problems are really people issues.”    

WOW. That’s an awfully big percentage. He was including training, culture and a whole bunch of attitude and other customer-service issues into that number, but I would place the percentage slightly lower for security. Still, that’s where the adage “perception is reality” comes from.

Before I go on, I want to address doubters. Some readers will probably disagree with me and say that there should be no “them” at all. We are all one team and working projects together. Security should be so integrated into the business that we never have these thoughts or feelings. After all, isn’t the customer always right?

My response is that this is not reality. That is akin to a one-party political system with no Republicans and Democrats fighting it out or discussion with contrasting ideas/perspectives within political parties.   More to the point, CSOs and their teams are usually not part of the business but report to the CIO, CFO or some other separate business unit. Security is usually a separate office or practice in most large companies. In smaller organizations, security professionals may be viewed as the “expert from out of town” or worse outer space. In either case, we need to be creating and implementing policies and procedures to balance security controls with business needs.

So how do we get out of this negative spiral? The answer is to really know the business. Understand what makes them profitable and how they define success. Really understand their risks. Learn the good, bad and ugly. All of this is well documented. Many security pros can even speak the local business lingo with the best bankers, health professionals, accountants or whatever business they are trying to protect. This expertise takes time and energy to build properly.

But I want to focus in on one particular aspect of business relationships. Yes, this skill is hard to find, but it doesn’t take an MBA or a decade of industry-specific experience to get it. More than that, I am confident that security professionals can develop this ability without new (formal) classes if we are willing to change and do what it takes to constantly evolve and adapt with the business. What I am I talking about? 

Solution #4: Improve Customer Relations by Separating the People from the Security Issue(s)

For starters, the business is made up of people. These people have families, play golf (or another game), follow local sports teams, believe in God (or not) and go to the movies. Remembering this will help when you want to demonize them or write them off. More than that, you will separate the tough issue from the person who disagrees with you. Remember that the relationship will usually last longer than the challenge you’re dealing with on a particular project or incident.

For example, in Michigan government over the past 12+ years, I have played a variety of roles and been in hundreds of meetings on various technology and security issues, events, incidents, vendor selections, new policy discussions, budget problems, cyber attacks and more. Throughout this period, I have worked with largely the same group of technology and business professionals on a variety of different topics.

Have there been disagreements. You betcha! Sometimes, you need to stand your ground and not compromise on important principles. But I try to not hold grudges or build unnecessary walls if final decisions don’t go my way. Yes, we try to build WIN/WIN solutions with customers, but if I win a tough (WIN/LOSE) argument, I attempt to immediately go out of my way to mend fences and strengthen the partnership with the customer involved. It always helps, since there is usually a “next time.”

 If you get together and listen to your customers over lunch, you will naturally build relationships that will outlive bad things that happen like a denial of service attack, arguments over changes to the password policy or embarrassing audit findings.

What should be our personal goals through these encounters? A few include: building mutual respect, developing a positive, approachable reputation, being known as customer-focused and gaining an understanding of the business needs. Far too often, I see security staff win the battle but lose the war. They get their way on some important control, but anger everyone in the process. They think they are in a sprint, not a marathon. Later, they don’t understand why they lose influence and respect.

One sure sign of this problem for security staff is if nothing happens without bringing in the “big guns.” If you regularly need help from someone way up the management chain to fight security battles with your customer’s senior management, you probably have customer-relationship opportunities to improve. You need to adjust your approach and/or you are not as influential as you need to be.  

Of course, background checks that go bad or other security violations that are particular to one individual need to be addressed. That is a separate topic altogether. But my central point is this: the customer is (usually) not clueless – so figure out want you don’t know that he/she does. Get to know the business – one person at a time.

Next time, Cyber ethics are for security professionals too.