What are your strategies for encouraging customer adoption of IT security measures?
Sort by:
I think that's a great approach. It's like Apple's approach to buying their product: if you make the garden nice enough, people don't care that much that it's walled.
My approach is trying to understand what is critical and what our customers need. There's often a blanket reaction to shut everything down because it's just easier than trying to figure out if we really need a shutdown, or if it’s only critical for certain folks.
It's hard and complicated to figure out who's a covered insider, who needs access and who needs full access. It does take work, but the impact of not doing that work is that you have critical people who generate revenue for the business that can't do their jobs. And what happens is, people will find another solution. They'll store the data somewhere else, which just creates another problem. So you have to do that extra work, sometimes there just isn’t an easier path.
Denying admin access to users on your machine is another simple strategy—in certain organizations, they just say, "No, admin access is not needed." But in our case, we do give users admin access because otherwise it would prevent them from doing a lot of things on their laptops. And now we have other protections like MFA and so on.
It’s often assumed that the better your security the worse the customer experience is as far as usability is concerned. From a historical perspective that’s true to some degree, so I don't know the best way to approach this problem.
Back when I was working at Gilead I assigned some basic security functions to one of my system admins, and they’d read a book that said you should put a lockout on any desktop, and make it mandatory so that when it locks out the customer can't reset it. I had sales people coming at me nonstop the next week, because they're in the middle of a meeting when the computer locks out and then they can't reset it. It's often a matter of figuring out how to get around those little things and go the extra mile so that you can still have what you want without rubbing it in the customer's face.
It's about balance: you don't want it to be too heavy and then suddenly the machine slows down because everyone always says, "It must be the security bot." We have all the things in case you misclick and execute something, but security's hard and we don't want them to self-solve outside of the playpen.
So the second part of my approach is to give them the best equipment they can use. If I give you the latest Mac with the M1 chip, a fancy camera and all that, what is the likelihood you will use your own laptop to do any work? If I can get into your head to force you down this path, without having to be in front of you saying, "No,you need to do everything on your laptop." It's like a forcing function—you'll use it because it's just better equipment, it's always working, it's supported, all of those pieces. And it's automated, etc The likelihood that you will go off path is very small, unless you’re resigning. Regular employees will stick with what's given to them.