If you mention security service to an information security professional more than likely they think of a technical control running on a host. This is true, but there is another service – the service that we, as security professionals, provide to employees and customers. How would we be rated on our level of employee or customer service? This is more than a Service Level Agreement (SLA); this is the interaction with those around us – the people we are serving and why we were hired in the first place.
What perception do people have of the quality of service provided by a security professional? The view one has of us develops with the very first interaction we have with people (notice I did not say, end-user). We security professionals are notorious for complaining that the business does not listen to us and that we don’t have a seat at the table. Security professionals can make progress towards changing this by working on the service soft skills with those around us in order to improve our visibility.
Dennis Snow, former 20-year Disney employee and now leadership and service consultant, recently provided a simple, yet powerful keynote on the subject of service. If you’ve ever been to Disney, undoubtedly you had a memorable time (you’re broke, but it was unforgettable). Disney’s focus on service is at the core of their business — to ensure you have a magical time. A day-in-the-life of a security professional is no Disney vacation, but we can learn from Dennis who outlines four guiding service principles. Each principle can be related to nearly every profession and industry. What are they, and how do they relate to information security?
1. Look through the lens of the customer
Security professionals interact with, and provide service to people in some capacity everyday – some more than others. When we do, look at the challenges through the customers’ or employees’ eyes. Try and see what they see. We tend to get frustrated when working with people outside of our domain because they “don’t get it,” However, on the flipside, people get frustrated with access controls, password policies, and social media block pages. Yes, controls are there for a reason, but try and see it through their eyes in order to better understand what they see. Try to see that they are crunching month-end numbers, or working on a sales promotion, or simply just trying to get through email (which by the way was quarantined leading to delayed access). Security’s responsibility is to serve (and protect) the business and its customers – the employees of the business. If we can see it through their eyes we will have a better understanding when we serve them and can proactively adapt to improve our level service interaction even while defending.
2. When it comes to a company’s environment, recognize that “everything speaks”
Do you have a favorite brand? Anything. What is your first reaction when you see your favorite brand? You immediately associate it with quality and goodness! Security professionals should think of their name as their brand. What would an employee or customer’s immediate reaction be if they saw your signature on the work you completed? Do they associate your name with quality or mediocrity?
Everything we do speaks whether it is hardcore technical or a soft-skill; we are speaking our personal brand. No matter how big or small, we are speaking who we are, by how we interact with people and by what we do. In security this is not only the technical solutions we architect, but also how we write and speak to fellow employees. It is even the smallest details that we don’t think matter, but to the employee and customer, they do. Everything we do in our jobs speaks to those around us and this shapes our brand as a security professional.
3. Create moments of wow
Think to yourself, is what I’m going to do just good enough or is it something that will make the employee say, wow! Employees not immersed in security are often intimidated by the technology. It’s not uncommon for security professionals to see employees struggling and figure, they are incapable of learning or worse, use ignorant comments like “there’s no patch for stupid.” However, employees are interested and they do want to learn, it just takes the right approach to reach them. This is part of our job as a security professional where we elevate those around us to be better equipped at helping us fight the good fight!
Gallup conducted research and found employees and customers rate outstanding service when we partner and advise. Accuracy and availability is important, but it is expected. However, we reach people and our level of service increases when we are seen as a partner and advisor. When a security professional is able to advise another person, there’s a connection and the service rating goes up a notch.
4. Know what frustrates people and do something about it
What about security frustrates people? By engaging with people and asking questions, we begin to understand their challenges and can work towards reducing frustration. Shadow IT employees are frustrated and want the best the Internet has to offer and take matters into their own hands, which in turn frustrates security teams. The partnership layer from the pyramid does not exist, when frustration sets in. However, by asking questions and working to solve problems which frustrate employees, our level of service improves and we are viewed through the lens in a positive light.
These guiding principles can apply to many businesses and security professionals adopting these will help improve the level of service provided. This isn’t anything revolutionary, but rather core service attributes to improve the relationship between security and employees. Put away the condescending “end-user” remarks. Partner and advise employees through their frustrations and see it through their eyes, and do it right the first time, or not at all – your personal brand depends on it!