Security As Trust

I was recently thinking about the nature of business and questioning some of my assumptions. I’d like to share a bit with you.

It seems that organizations want to maintain close relationships with their customers, and those customers expect certain unwritten rules to be followed. These rules are so obvious that they’re often not consciously considered as anything beyond the background of our daily purchase decisions. Even so, I think it’s fun to look at this.

As customers engage with organizations, they expect a certain level of respect in exchange for the money they’re giving. They want the product or service to be provided at the level of quality they had in mind, to be provided in a courteous way, and to have their personal interests protected.

Essentially, customers expect these organizations to act respectfully and in accordance with their interests. They want follow through on promises in a predictable and consistent way, products delivered with timeliness and quality, and the integrity of the transaction protected. These make people feel secure in doing business.

Put another way, people will only give you money if they feel secure you’re going to give them something of value in return. It’s not enough to give them the product and move on. The product must perform as they expect, they must believe you’ll stand behind the product, and they must be treated respectfully throughout the transaction.

Essentially, customers must trust you. This allows them to feel secure and builds the basic willingness to do business with you. If we think about it, this makes security a characteristic of a trusting customer relationship.

This is not so much the security that keeps people from doing bad things, but rather that which comes from a predictable outcome borne from a rules-based transactional structure.

So what does this have to do with computing?

We recognize that computing is often strategic to organizations’ customer engagement, as it’s used to ease purchasing, improve customer service, and streamline communications. And of course customers expect these computer systems to provide the same (or more) trustworthiness as an in-person transaction.

Yet I’ve seen substantial room for improvement in many organizations.

Instead of ensuring a consistent and safe experience, I see halfhearted stabs at security focused on keeping auditors happy. Instead of computers respectfully protecting customer data, I see systems with little operational discipline. Instead of a holistic structure that aligns to the needs of the business, I see technicians applying security controls with no concept of the overall goal. And worst of all, I see security technology that inhibits customers and the organization for no real reason.

This happens when IT organizations approach security as something they have to do instead of a business enabler. This behavior drives a minimal level of attention and investment that results in insufficient and limiting security. Security becomes window dressing to make managers happy, not a means to protect or enable customers and the business.

So ultimately, misaligned security hurts customer relationships because it’s ineffective, constrains business value, and acts inconsistently with customer trust. This leaves business leaders and customers frustrated while bad guys exploit security weaknesses to gain advantage.

We must transform the perspective that security is only about keeping bad people out of things or complying with regulations. A first step towards fixing this is reconsidering security’s very nature.

Instead of considering security as defense and compliance, I believe we should consider it as a quality of both an organization and its computing systems. Security should be a quality assurance function rooted in delivering trust to an organization’s stakeholders.

Next time I’ll talk about how to consider computing (and security) from this perspective of quality.