I know that a lot of people just don’t get the whole “customers of security” vibe I keep yapping on about, and some people still say the primary job of security is the enforcer not the advisor—including a rather long and otherwise well-written LinkedIn post I read last night.
The thing is, I just don’t agree. When you’re programmed to be an enforcer, it’s quite often far too easy to start to enjoy the daily judgement calls as to the meaning of what you’re trying to enforce, and then when that happens, you’re not really adding value—you’re just a security bully who gets off on being right and justifies your endorphin rush in the name of policy and protecting the organization.
But of course…this doesn’t really happen in the “real world.” I mean, just look at the ne—
Neeeevvvvveeeerrrrrrrmind.
After as many years as I’ve been doing this – and especially as I’ve worn more and more hats in the business world – I do truly believe that one of the biggest failings in most security programs is that they don’t realize that you need to treat security a lot more like a business than a kingdom.
In a kingdom, you have subjects. And those subjects pretty-much need to do what the leader says. The King sets the laws, and the subjects obey—even when tomorrow the law may be different than it was yesterday.
However, in business, you don’t survive unless you have customers. And just “having customers” isn’t really enough. If you want to be truly successful, you need to have *repeat* customers. Customers who buy from you because they believe in what you do…who believe that you can help them solve their problems…who believe that you can help them achieve what they’re trying to achieve.
Now, which one of those sounds more like what you believe security should be?
Really, you can have any opinion you want. It’s perfectly your right, and I’m sure you’re going to do the most with that opinion you can possibly can.
Personally, I’m obviously going to come down on the “security as a business” side of the argument vs. the “security as a kingdom” side. If you don’t, you might want to really question why you’re getting my emails…
In the August issue, I talked about the types of security customers, and I’ve already talked in the last couple of emails about how the customers are different with different needs, and that’s something we can’t ignore if we want to have a successful security program.
However, today, I want to harp on this “customer vibe” a bit more with a quote from someone I never, ever really thought I would quote in a positive way. But here – along with the requisite monkeys flying out of my butt – is something Bill Gates said about customers:
“Your most unhappy customers are your greatest source of learning.”
So why are we talking to our stakeholders? Why are we really trying to get some of their time – their most valuable resource – and have them decide to spend some of that time with us talking about security?
Because if we want to be a successful security program, we have to learn—always. We have to learn about their world (Principle #2), we have to learn about what they want, what they’re afraid of, what will happen if they don’t get it or it takes longer than they want.
But most importantly, we need to learn more about why they do or don’t like us as security. It needs to go far beyond “Well, because you kill or delay all my projects.” Being the Department of No is a problem, but we need to understand how that causes problems for them.
Because if we understand the problems we’re causing, then we understand how we’re not delivering our mission and purpose of security to help the organization be successful, safe and responsive.
So don’t fear the stakeholder who doesn’t like you. Make them coffee. Boldly face and proactively admit the reasons they might not want to talk to you or that you’ve made their life difficult in the past—and honestly and openly demonstrate that you’d really like to change that dynamic.
Remember, it’s all about earning the trust and support of the people in our organizations. And we’re not doing that because we want to be a spineless snake who can’t keep the organization safe because they agree to everything the customer wants. That’s not how you build trust.
You build that trust by helping people get what they want—and keeping them out of trouble while they get it.
So think about which side of the Security Kingdom vs. Security Business debate you’re going to be on the next time you’re talking to one of your security customers. And if you want to know more about how to more easily, quickly and reliably build that trust and support…
…then make sure you’re subscribed to the Security Sanity print newsletter before the September issue goes to the printer at the end of the month using this link right here:
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
