What are your strategies for encouraging customer adoption of IT security measures?

People & LeadershipStrategy & ArchitectureSecurity & GRC+7 more
1.5k views5 Comments
CEO in Software, 11 - 50 employees
It’s often assumed that the better your security the worse the customer experience is as far as usability is concerned. From a historical perspective that’s true to some degree, so I don't know the best way to approach this problem.

Back when I was working at Gilead I assigned some basic security functions to one of my system admins, and they’d read a book that said you should put a lockout on any desktop, and make it mandatory so that when it locks out the customer can't reset it. I had sales people coming at me nonstop the next week, because they're in the middle of a meeting when the computer locks out and then they can't reset it. It's often a matter of figuring out how to get around those little things and go the extra mile so that you can still have what you want without rubbing it in the customer's face.
1
Director Business Technology in Software, 10,001+ employees
My approach is trying to understand what is critical and what our customers need. There's often a blanket reaction to shut everything down because it's just easier than trying to figure out if we really need a shutdown, or if it’s only critical for certain folks.

It's hard and complicated to figure out who's a covered insider, who needs access and who needs full access. It does take work, but the impact of not doing that work is that you have critical people who generate revenue for the business that can't do their jobs. And what happens is, people will find another solution. They'll store the data somewhere else, which just creates another problem. So you have to do that extra work, sometimes there just isn’t an easier path.
1 1 Reply
CIO in Telecommunication, 1,001 - 5,000 employees

Denying admin access to users on your machine is another simple strategy—in certain organizations, they just say, "No, admin access is not needed." But in our case, we do give users admin access because otherwise it would prevent them from doing a lot of things on their laptops. And now we have other protections like MFA and so on.

1
CIO in Finance (non-banking), 51 - 200 employees
It's about balance: you don't want it to be too heavy and then suddenly the machine slows down because everyone always says, "It must be the security bot." We have all the things in case you misclick and execute something, but security's hard and we don't want them to self-solve outside of the playpen. 

So the second part of my approach is to give them the best equipment they can use. If I give you the latest Mac with the M1 chip, a fancy camera and all that, what is the likelihood you will use your own laptop to do any work? If I can get into your head to force you down this path, without having to be in front of you saying, "No,you need to do everything on your laptop." It's like a forcing function—you'll use it because it's just better equipment, it's always working, it's supported, all of those pieces. And it's automated, etc The likelihood that you will go off path is very small, unless you’re resigning. Regular employees will stick with what's given to them.
2 1 Reply
CEO in Software, 11 - 50 employees

I think that's a great approach. It's like Apple's approach to buying their product: if you make the garden nice enough, people don't care that much that it's walled.

Content you might like

How soon do your new employees get security awareness training?

Awareness & TrainingRisk ManagementSecurity Strategy & Roadmap

First day on the job10%

Sometime during their first week52%

Sometime during their first month26%

2-3 months after their hiring date6%

It depends on their role/level3%

Other (explain in the comments section)1%


299 PARTICIPANTS
1.2k views

Does anyone have any guidance, tips, and/or templates to share to help establish Identity Access Management governance as a part of an overarching Identity Governance and Administration program?

Process ManagementIdentity & Access Management (IAM)
2.1k views2 Upvotes1 Comment

Does your org consider API security a high priority?

Security Strategy & RoadmapThreat & Vulnerability ManagementRisk Management

API security is our top priority8%

Very high48%

High34%

Medium9%

Low1%

API security is not at all a priority for us1%


101 PARTICIPANTS
818 views

How do you keep a team motivated in absence of leadership?

People & Leadership
Read More Comments
40.9k views29 Upvotes21 Comments

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
609 views1 Comment