How Your Customers Think About Security (and how to leverage it)

Over the years, I’ve learned a very important lesson.  There is a mis-perception that our customers do not understand security, and that they do not care. What I have found is that our customers understand security, and they communicate it in terms they know well. Unfortunately, these are not ones that Information Security professionals normally use. What I want to do today is bridge that gap between our customers and our programs so that we can do a better job for the people that entrust us to protect them on many levels.

Today I want to discuss how we can use five techniques to improve customer relations and provide better reach for healthcare information security programs. We can improve how we meet our customers’ needs, and we want to provide the tools for us to replicate this. Customer outreach/personal communication, active listening, understanding the customer experience, presenting in their way, and taking the extra steps can help us all accomplish our organization’s Mission and Values and improve the organization, not just security.

Customer outreach and personal communication means that you proactively reach out to customers. They have devices at home. They have smartphones. They get many confusing messages about computer security. My wife will use the phrase “stereo instructions” to describe when she reads something that is not easy to comprehend. People who read Information Security communications often feel like they are reading those.

We need to use a technique I like to call “Follow Through”. This means that we take the communications from multiple sources and rewrite them so that it gives an appropriate call to action for our customers using language they understand. We want them to be empowered to protect themselves. There is correlation between a team member’s personal issues and their performance. We want to make sure that they are not victims of a data breach or something similar that would cause negative issues. We want our team members to know that we are looking out for them.

With the emphasis on Bring Your Own Device and the use of technologies such as Virtual Desktops, we now blur the lines between personal device usage and professional use. We need to realize this and start advising on personal technology safety, because it is now professional.

Active Listening cannot be under-emphasized. Our customers have understandings of Information Security. It is in their terms and is part of their business. We need to take the time to listen to them and hear their concerns. There are a lot of people in Information Security who tell their customers what they think they need to hear. What we need to do is have them tell us their story and what they expect from us. We have not listened as an industry and many attempts to scare people into listening are failing. Alarm Fatigue over data breaches and security is setting in, and we need to take a different approach.

Understanding the Customer Experience is also very important. When our customers need to implement security as part of existing or new business processes, there are workflow conflicts. Many security solutions do not get implemented because they negatively impact critical processes. We need to understand the patient and team member experiences. We need to sit elbow to elbow with them so we can see where the challenges are, and work to address them. This is something that we currently do for new implementations of EMR systems. However, we need to expand this to more projects, so we understand where we need to improve.

Presenting In Their Way means that we need to be able to take what we learned from Active Listening, Understanding the Customer Experience, and Customer Outreach and package it in a way our customers need. We are judged by how well we communicate what they need on their terms and in a way that lets them comprehend very quickly what benefit this has for them. We need to focus on how to get the message across visually, using common terminology, and in as short a time as possible. Customers want us to understand them. They don’t want to have security shoved down their throat or the threat of OCR fines and data breaches used as a cudgel. You will cause employee disengagement and serious problems with leadership if you do that. They need to know what they can do and how we can empower them.

Taking the Extra Step involves putting yourself out there in different ways. One of the largest budget challenges is working for a nonprofit. The CFOs who work in this environment often must do more with less than their teams realize. Smaller teams may not have the money to implement your recommendations. Be creative and understand how to budget to help your smaller teams out. Clearly explain costs. Offer to pay for smaller initiatives. Don’t be that leader that tells people “that’s not my cost center”, or “I don’t have resources”. Be the one that creatively works toward working with customers to meet their needs. Take the extra steps to make better security a reality, and do not make excuses why not.

With these steps, we can build a more sustainable program. We can avoid reflexive solutions that hinder workflow, cause disengagement, and do not meet needs. Empower the customers and build that two-way communication. Understand their business, communicate on their terms, and take that extra step. You’ll find that following these steps will help you with customers that understand security and do so in a way that benefits you both.

About the author

Mitch Parker, CISO

Mitch Parker, CISO

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.