For a Superior Cybersecurity Customer Experience, Define Success —Then Measure It
Share with Your Network
I’ve worked in the customer experience (CX) field my entire career (whether I knew it or not). In that time I’ve seen and employed plenty of approaches that work—and nearly just as many that don’t. In the months to come, I want to share some of what I’ve learned with other CX professionals in the cybersecurity space, and with those Security and IT professionals who will engage CX teams at some point.
Even if you’re not personally implementing or supporting a security solution, you should know what to expect in terms of best practices. You should know what to demand from CX organizations. After all, they’re taking your money.
When it comes to customer success, it all begins at the end. By that I mean it begins at what the customer envisions as a successful end state. This is defining success: Determining where the customer wants to take their cybersecurity initiatives, where they want to see improvement, and how soon they would like to get there.
With a few exceptions, most CX teams arrive on the scene after the customer has already chosen a specific solution. So unless the sales team has somehow delivered unrealistic expectations, the customer should have a good sense of how well-suited the solution is to help them reach their desired end state. (In many cases, however, good sales and CX teams will unearth possibilities that never even occurred to the customer. I’ll explore that topic in detail in a subsequent blog.)
How to define success
Customers will likely arrive at the deployment stage with their own set of goals in mind, since they had specific use cases or problems that led them to deploy the security solution at hand. Those use cases will determine their vision of the future.
At times these objectives can be vague or incomplete. It’s the job of the CX team to partner with customers to help explicitly define the success criteria and goals. At Kenna Security, I head up the team that deploys, guides and supports one of the market’s leading vulnerability management (VM) solutions. In the world of vulnerability management—which involves identifying, prioritizing and remediating vulnerabilities in enterprise devices, networks and applications—customer goals tend to cluster around a few key wants:
- Keep up with the growth in vulnerabilities. The average enterprise has millions of vulnerabilities, and the volume and velocity of vulnerabilities continue to skyrocket. It’s impossible even for well-resourced Security and IT teams to fix them all.
- Automate manual VM processes—particularly prioritization. Security’s traditional approach to identifying and prioritizing vulnerabilities is largely manual and still leaves IT and DevOps with far too many vulnerabilities to remediate. So a primary goal is to automate prioritization of vulnerabilities.
- Improve efficiencies. Security teams can spend a lot of time investigating and monitoring vulnerabilities, and then it’s up to IT and DevOps to remediate the most important ones. Organizations want to make better use of existing resources and budget, and achieving new efficiencies helps.
- Reduce friction between teams. Teams are often at loggerheads when Security merely hands IT and DevOps endless fix lists with no explanation or understanding of priorities.
- Streamline compliance. Virtually every large enterprise is required to meet various data security requirements, and those that handle sensitive customer data or payment information face additional scrutiny. Easing this burden is almost always a goal.
- Ease communication and reporting. Board members and non-tech C-level execs generally don’t speak VM, and old-school metrics are largely meaningless to them. For CISOs and other Security execs, the ability to deliver necessary information and demonstrate progress to these audiences is a persistent need.
Each organization will have its own unique priorities, and a good CX team will help shape these into a success plan based on what’s most important to the customer.
To develop a success plan, choose metrics that matter
But critically, the CX team must do more than say, “Let’s make your remediation process more efficient.” It has to draw hard lines around a customer’s unique definition of success by setting benchmarks and milestones that will provide a roadmap to their desired end state. And it must provide the appropriate metrics and KPIs so customers will be able to measure and demonstrate their success.
The limitations of traditional vulnerability management tools has meant that VM has been plagued by overly simplistic views of what success looks like. Security teams once issued reports about the number of vulnerabilities remediated over a certain timeframe. But this most basic of metrics did little to communicate the real value of a modern vulnerability management solution: reducing the risk to the business posed by vulnerabilities.
Key to developing a success plan is introducing meaningful metrics to the customer’s environment. By meaningful, I mean metrics that demonstrate not just that remediation teams are knocking down vulnerabilities, but that everyone involved is working to reduce risk to the business. That’s a yardstick everyone can understand, including and especially C-level execs and board members who don’t have patience to wade through spreadsheets
Within a VM environment, several sophisticated metrics have emerged to help track and quantify success. These typically focus on the headway Security, IT and DevOps teams make toward remediating vulnerabilities that are determined to pose a particularly high risk to the infrastructure and applications in the enterprise stack. (At Kenna, we determine this using data science, real-time threat intelligence and predictive algorithms.)
When we work with customers, we ensure that the VM is set up to slice performance data in ways that reveal success in various ways. Common metrics include:
- Coverage, which measures the completeness of vulnerability remediation, or the percentage of exploited or high-risk vulnerabilities that have been fixed.
- Efficiency, which tracks the precision of remediation, such as the percentage of all remediated vulnerabilities that are actually high risk.
- Velocity, which measures the speed and progress of remediation.
- Capacity, which determines the number of vulns that can be remediated in a given timeframe and calculates the net gain or loss.
- Overall, which is a composite performance measure based on the above.
The right tools make all the difference
I made the point earlier about boards and C-suite execs caring about risk: measuring it, managing it, and reducing it. For CISOs, this focus on risk is actually convenient, because cybersecurity is all about reducing risk. (Yes, it’s about preventing data breaches, denial of service attacks, ransomware infiltrations and more, but these are all individual battles waged in the war to reduce a customer’s risk profile.)
When we’re creating a success plan for customers, we make sure to set them up for success by implementing processes and tools that have been proven hundreds of times over.
One way we do this is by providing automated tools like risk scores and risk meters.These are crucial for making VM efforts clearly data driven, and for intuitively communicating status and progress.
Risk score. Each vulnerability is assigned a risk score. Based on scale of 1 to 100, with 100 representing the highest risk, the risk score shows the relative risk that a vulnerability poses to the organization based on a number of factors, including the prevalence of the asset on which it exists, the likelihood it will be exploited by hackers or malware, and the organization’s own tolerance for risk. The risk score helps Security teams prioritize and manage that vulnerability, and it gives them an evidence-based way to get IT and DevOps aligned around the same priority.
Risk meter. The risk meter allows customers to instantly view their progress in reducing risk by department, asset group (say, all customer-facing servers), or other category. Our customers have found that risk meters help motivate different remediation teams into a friendly competition to see which group can drive down its risk meter furthest. Risk meters are particularly helpful in communicating progress to non-technical audiences, and help ensure adoption, which in turn leads to Security achieving greater ROI from its investment.
Suddenly, everyone sees a metric they can easily appreciate and support, and Security and remediation teams get the recognition they deserve. Now that’s what I call success.
Every cybersecurity solution provider has its own tools to arm customers with, and its own metrics based on what value it’s intended to provide to customers. But the responsibility to set up customers for success is universal. Because security is simply too important to risk.
To learn more about how a success plan will look like for you talk to an expert.