Ross Stapleton-Gray, Ph.D., CISSP, talks about his personal experience with changing career direction, along with looking at career paths in and out of the chief information security officer (CISO) role, particularly the idea of specializing in customer trust as an evolving cybersecurity function.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
I’m several months into a new role with a SaaS start-up. It’s another security role, but it’s officially called Customer Security Assurance and I’ve most regularly referred to the work as “customer trust”. In this role I'm not directly responsible for operational security, an overall security program or application security (though I have an interest in all the above and plan to be a resource for that within the company). The role is effectively a bridge between the customer and the company on all things security (and where I can, compliance, privacy and legal, to give us bench depth). It's a great role for a storyteller and translator. While I started my own career with a computer science degree in hand, I could see this role filled by someone who trod any number of routes, including non-technical ones.
The customer trust role partners closely with the sales team, as well as with the customer success team (which takes customers under their wing to retain them or, ideally, entice them to invest more in using the services). To use a common metaphor, sales “sells the sizzle,” describing products or services with an eye toward exciting the end user; whereas the trust role is to provide the nutritional information and food inspection evidence for that steak.
The Need for Security Roles
It’s worth backing up and recalling why any security roles exist in the first place: our contribution to the enterprise is to reduce risk in delivering a product or service, inspiring the trust of customers that then pay for those products or services. I like “customer trust” as a framing, as it makes clear which aspects of information security that need my attention and which part I play: I’m one of the “explainers” who communicate a sense of how well we are addressing security issues. We are also “listeners”, bringing back customer concerns and requirements for the company’s attention.
Exploring a Customer Trust Role
A customer trust role can be blissfully disconnected from on-call trees, SIEM alerts and middle-of-the-night emergencies in incident response. It’s important to know the whys and wherefores of those, but the role operates at a layer of abstraction well above:
- Strategically, it’s building out customer-facing resources, such as a corporate trust center. That’s both developing content, such as explanatory white papers, as well as assisting in automating processes that feed governance, risk and compliance (GRC) tooling. In addition to all of this, maintaining the program for security awareness training and building a security-conscious company could also be strategic goals for the trust role.
- Tactically, it’s responding to security questionnaires, one-off questions and urgent requests to intervene with potentially churning customers, to reassure them of the value (at least, from a security or risk perspective) we bring.
- Going back to the strategic level, it’s about feeding back into the company – in particular into the product teams – what we learn from customers.
Information Sharing
Another of my observations about the role: the customer may always be right, but they’re regularly quite wrong, too. That is to say, no deal happens if the customer isn’t happy – but getting them to that stage often requires educating and steering them into asking the legitimate questions that they need to know about, as well as navigating around the ones that don’t really apply.
Asking questions such as “What DLP do you have?”, is an example of the information flow in practice. Tools and techniques for digital loss prevention may well be important, especially when data is particularly recognizable as sensitive and potentially concerning (e.g. credit card or Social Security numbers).
I’ve also learned that customer trust is adjacent to the GRC function. Communicating compliance certifications and attestations to customers is an obvious need (which can be handled through a web-based trust center in as much of a self-service fashion as possible), but continually assessing compliance needs is also part of it. Is the company gaining a foothold in a particular sector? Would some additional certification accelerate that? Is the net value of some compliance efforts falling below the cost? Does that investment merit a reassessment?
The emergence of governance, risk, and compliance (GRC) as a recognized, conveniently packaged field has been impressive. GRC platforms, GRC tools and roles such as GRC engineer and GRC specialist didn’t really exist a decade ago but are now common and becoming even more prevalent. The SOC 2, as a service control audit framework, was an extension of accounting audits, but has blossomed into table stakes for any serious SaaS company. As a true measure of a vigorous adolescence, if not maturity, you can see punny GRC ads on Silicon Valley billboards: “Compliance that doesn’t SOC 2 much.” Many information security professionals will find a fit in GRC roles, along with folks coming from other fields.
Benefitting from a Customer Trust Role
My overriding sense is that the customer trust role can benefit greatly from a generalist’s skills and experience. A valuable input to the “compliance needs” question, for example, is a little competitive intelligence: do the alternatives [to us] offer something (on the trust front) that we don’t? Channels for customer trust messaging are everywhere, from marketing to our customer support and success teams, to the pointiest end of the spear in sales: are they fluent in the language of trust, and inclined to speak it as often as they ought to?
The customer trust role is the antithesis of the “just say no” security stereotype: it’s an enabling role, aimed at reducing concerns through compelling explanation that risks are acknowledged and how the product or service successfully addresses them. It helps to guide what we build in the future, through understanding both customer concerns and market requirements for security and compliance.
Ross Stapleton-Gray, Ph.D., CISSP, has over 30 years in the technology, government, non-profit and education sectors. He has held various research, compliance and cybersecurity roles, with responsibility for establishing or maintaining security and compliance programs and teams.
Related Insights