Balancing Information Security and Customer Needs
Security breaches in the contact center environment can be enormously expensive and damaging, so it is worth real money to approach these matters the right way. It is important to foster a strong security culture supported by well-designed processes – – rather than rely on a patchwork of technologies that simply give a warm fuzzy feeling of security. Security is a journey – – not a destination – – and corporate culture and business process must mesh with the technologies that support them, not the other way around.
As a contact center manager, you should be concerned about these issues because there is a natural tension between the needs of security on the one hand and the desire to facilitate easy, effortless customer access to information. It takes an “eyes-open” culture to balance the objectives of both sides. Unfortunately, many companies today do not have the culture or processes that support the appropriate use of defensive technologies, while at the same time facilitating the conduct of business with customers.
You have an opportunity to be a catalyst of change for your contact center’s information security culture. However, you may need to open your mind a bit. Start by considering your own experiences:
– Have you ever felt that your security colleagues have placed unnecessary obstacles in your way?
– Have you felt misunderstood by the very people who say they are trying to protect you?
If so, you are not alone. These are signs of an organization that needs to evaluate how information security is approached –with an eye towards changing attitudes, instituting best practices with collaboration and mutual understanding, and giving more thought to the timing of critical conversations.
While a secure-but-business-friendly culture has many components, we offer a few key items for consideration here:
1. Security starts at the top. Senior-level leadership is needed to raise awareness, articulate the right values, and initiate programs that support a healthy security culture.
* The corner office folks should share their concerns and needs with security specialists, making it clear that they can and must communicate with other parts of the organization about security in an open and collaborative way.
* Operations managers (including call center managers) should include security experts in their planning and execution of new technology initiatives, especially before contracts are signed.
2. Seats at the decision tables (project level). This follows from number 1 above. When it comes to technology and software, the corporate world is often a compartmentalized place where specialist don’t talk to each other, much less (heaven forbid!) to the actual users. This needs to change, and contact center managers need to be part of the solution both by demanding a seat at the enterprise table and by offering a seat at the contact center table whenever needed. Your business runs on IT, so it must be secure.
3. Avoid surprises. Do not spring things on your security colleagues. “We have this software that is going live on Tuesday, are you ok with that?” is not music to anyone’s ears.
4. Context is king. As contact center managers, you need to articulate your business requirements in a clear and documentable way. Describing your needs will also force you to clarify ideas and make the case for what you want. In the absence of compelling context, your security colleagues will generally react in a black and white, conservative way, (e.g. they may over-compensate on the controls they require), which can derail your projects. To avoid churn in people, as well as requirements creep, document key decisions, including alternatives considered and the rationale/justification for the final outcome.
5. Stay close during implementation. Even after decisions are made, the same stakeholders should be kept in the loop. There should be regular checkpoints with your stakeholders baked into your processes. Control & Governance processes can be light-weight (in terms of bureaucracy), but should include key stakeholders and interested parties. Use emails that require a reply of “have read and understood” within a reasonable period of time.
6. Caveat Emptor (buyer beware!) Vendors are essential parts of our ecosystems and, to your security colleagues, a potential source of threats as well. More than one customer has been railroaded into higher risk situations by pushy sales people. Vendors can introduce weak links, so bring in your IT security experts to help drive the vendor discussions early on. Be ready to push your vendor to offer the necessary security to go with the wiz-bang functionality you are salivating over. If needed, get a time-limited risk exception (part of a culture /control and governance process) that satisfies your security colleagues, and then work with the vendor to fix any problems.
7. People Power. The right people, well chosen and properly trained, who live the values articulated by senior leaders, are essential to an organization’s culture. Both initial training and ongoing training should give proper weight to IT security. Invite your security colleagues to address your project people on a periodic basis and at the right level of detail. As the business owner, be candid and ask IT security to help you remove obstacles to moving forward, through better tools, patterns, and standards.
Think about a company in which all of the above best practices are implemented and working well. It is a company that can build corporate value in a more healthy and secure way.
The customer contact function presents special sensitivity for security, especially in regulated industries. Points of vulnerability include CRM (customer relationship management) software, which draws upon databases that may include patient health records, credit card or bank account information, and social security numbers. It is incumbent on customer contact managers to be part of the security culture, and not part of the problem.
Experience shows that a well-oiled security culture will save money and improve your economics. Having superior security capabilities will avoid a lot of very expensive and time-consuming problems. If you have weaknesses, address them early in your project to avoid impacting downstream operations, which might require compensatory compliance processes at additional cost (“run-the-engine” cost). Audit and added oversight may then be needed to ensure that the work-around processes are properly functioning.