Few will argue about the importance of customer service, especially when that service is for paying customers. After all, who would want to buy anything from a retailer who has treated them poorly? What’s more, people don’t want to bank with an institution that is abrasive and confusing every time a customer tries to place a support phone call. Customer service in cybersecurity is also important, in fact, it’s one of the most important things we can do.
You might be asking yourself why. You’d be right to do so. Cybersecurity is a field based on trust. We’re not talking about zero trust models and adaptive authorization. We’re talking about trust between teams and between people. Why is that? In many cases, cybersecurity teams aren’t directly responsible for security work that impacts an organization’s risk. This might be patching, doing background checks, or writing code. Other teams in an organization are typically responsible for doing this work and those other teams have other priorities.
Cybersecurity teams function with a currency of trust and influence amongst other teams.
Defining Customer Service
Zendesk defines customer service as follows.
“Customer service is the act of supporting and advocating for customers in their discovery, use, optimization, and troubleshooting of a product or service. It’s also the processes that support the teams making good customer service happen.”
If we think about customers as all the teams and individuals who depend on a cybersecurity team, then customer service can take many forms. Here are a few notable examples of good and bad from my own career experience:
- Product teams who engage with a penetration testing team only to find them abrasive, cocky, and difficult to work with.
- Sales teams who rely on security to assist with third party risk assessment forms to move big deals along.
- IT teams look to security to help understand the barrage of vulnerability scan reports, what they mean, how to prioritize them, etc.
In the three common and very real scenarios above, another team was looking to cybersecurity for help. This exchange can go well and leave that team feeling better for having engaged. That exchange can also go incredibly poorly, as in the penetration testing example, leaving that team frustrated and agitated.
Why Does This Matter?
Whether or not we like it, nobody really has to engage a cybersecurity team for help. I know what most policies say and how that lines up with SOC2 assessments and the marketing lingo that describes positive cybersecurity cultures. But if a security team is abrasive, unhelpful, or just downright confusing then they run the real risk of being ignored. For a security team to provide value across an organization it is imperative that they engage, positively, across an organization.
If a security team is ignored, they aren’t providing value. If a security team is ignored they might actually be providing negative value. I do need to clarify that a team being ignored is not the fault of a security team alone, there are a lot of factors that may contribute to such a dynamic. We can’t control most of those things though as they have to do with others. So we should look introspectively at what we can do along the lines of product or service design and customer experience.
Where to Start
To conclude this article, I wanted to break down three key things that every team should be thinking about in their journey towards awesome customer service experiences.
Identify your customers and what matters to them.
Grouping customers into a couple of high-level buckets with a few bullet points about their goals is your starting point. For example:
- Engineering cares about speed to market, high quality code, and flexibility.
- IT cares about stability in their environment.
- Sales and marketing care about building and maintaining trust with current and prospective customers.
Start actively listening to your customers to figure out what’s working and what’s not.
There are a lot of ways to listen. Sitting down for (virtual) coffee and a 1:1 is a great way to build trust, show that you’re invested in a positive outcome, and learn a lot. Pulse surveys run semi-regularly can cover a lot of ground and provide data to go with decision-making. Open retrospectives can give interested stakeholders a place to share their thoughts.
Map key products and services to customers.
The cybersecurity team is likely responsible for a book of work that includes a mix of products and services. Understanding what things serve who and why is important. Going back to step 1, if you understand what a customer values you can determine whether or not your product or service is positioned to help or hurt. Better yet, get them involved in the outcome to make it better.