Last week, I laid out an overview of how you can use standard best practices of sales and marketing to achieve your security goals. Today, we’ll talk through some common barriers in that strategy and what you can do.
Security’s Brownfield Problem
Most IT professionals are familiar with greenfield and brownfield and know that greenfield projects are always better; dealing with old mistakes and compromises made by other people is less fun. The patterns of greenfield and brownfield also apply to relationships: partnerships and trust are a capability like any other, with tools, operational excellence, and KPIs to match. Unfortunately, when joining an organization, relational greenfield is mostly a myth. Most leaders get brownfield, inheriting everyone’s perceptions and associations about their team, predecessor, and industry.
Many people perceive security to be a barrier to progress. They have stories about how they wanted something good for them or their team, and Security said no. They have stories about how Security made them build more things they didn’t need or buy a more expensive product or extend their project timeline for unclear reasons. They believe that Security is a bunch of anal-retentive, perfectionist, power-tripping idiots who would never make it in the real world.
If this is your narrative, it’s clear that avoiding Security is your best bet for success.
There is an ugly cycle here: a team tries to avoid the Security team, builds a vulnerable capability, then Security finds out and escalates to Legal, the CIO, or the CFO. The team is then forced to bolt-on some security measures to their already-in-use product that makes it annoying. They resent Security and feel even more strongly that Security only causes problems. Security resents them for unnecessarily exposing the organization to risk that Security will have to step in and rescue them from, especially because the bolt-on measures will never be as strong as a capability built with security in mind. Everyone loses in this scenario.
The root cause is the lack of trust for the security team, the belief that they are against progress and good. The solution to this is security marketing and sales, but those measures go a lot farther if you have concrete examples of providing benefit. Your best approach is building out standard, secure solutions that work for most people. Success in this strategy is showing your customers that an existing solution meets their needs and provides unexpected value over the solution they’re considering without demeaning them or their judgement.
Here are some common barriers to achieving that:
The sooner you can get your solution in front of people with a problem, the less invested they’ll be in their way of doing it. Advertise your standard solutions: a searchable, linked landing page explaining how and when (and why!) to use a particular standard goes a long way.
Figuring out how
Even if they know about a standard solution, you’ll lose them if it’s hard or unclear how to get started. Make it easy: create how-to videos or procedures. Make your doc easy to understand. Make the steps easy. Link directly to intakes if administrative action is required to get them started. Respond to intakes in a timely way.
The time it takes to use
If they start using your standard solution but it takes a long time to do what they need, they will try to find another solution that works better for them. Sometimes you can fix this with training. Sometimes you need to adapt the user experience to meet their needs.
Whether it worked
If the interface doesn’t always work the way users expect, that quickly builds distrust of the system. If people can’t trust something, they need to spend extra time “babysitting” it to ensure that what they wanted is what actually happened. Babysitting time builds ill-will faster than most other sorts of work.
Whether it was fast
People are sensitive to performance; they resent time spent waiting. Also consider fulfillment time if the system fronts a service. If people think that engaging a team through your ticketing system is slower than emailing them, they will blame that experience on the ticketing system and try to avoid filing tickets.
Prioritizing customer experience may seem overwhelming on top of your existing enterprise security priorities, and it’s tempting to give up and go back to a legalistic, bad-cop, no-exception approach.
It doesn’t need to be that way: just pick your battles and the easiest wins, and just start knocking them down in order of value. User Stories are one of the best methods for finding and prioritizing opportunities in lowering these barriers.
Sometimes, improvements are hard to deliver because underlying issues increase their cost. Next time, we’ll discuss those deeper barriers: organization-wide cultural and technical issues can really reduce your team’s ability to improve your customers’ experience.