Chapter 03
People power
The people within any organization are simultaneously the first line of defense and the weakest link in the security chain. Even if a potential partner can claim to take a best practice approach to the selection and application of tools and processes or point to the right credentials or security department structure, it shouldn’t be considered as a viable candidate for your CX delivery if it can’t also prove it has a security culture.
What is a security culture?
Unless every employee within an organization recognizes the importance of system and information security and is an active participant in mitigating risk, any potential partner cannot rightfully claim to have a genuine culture of security or, by extension, claim to adhere to a security by design philosophy.
A security culture goes beyond the breadth and depth of an organization’s security team. No matter how well-resourced, if that team is operating as a siloed entity, it will forever be in a reactive, firefighting mode. In worst-case scenarios, this creates a disconnect within the wider business where employees feel shielded from the ramifications of their actions and view tools or processes designed to mitigate risk as roadblocks to productivity or business growth.
A security culture removes these operational silos and replaces them with individual and collective accountability. Employees understand that following security best practices are central to the execution of their duties and, crucially, if a mistake does occur, feel empowered to immediately report it to minimize any potential impact.
How can you tell if a potential partner has a security culture?
The first place to look is the boardroom. The C-suite and security teams need to be aligned and speak the same language. Even as the reputational and financial damage that can be inflicted on an organization following a security breach increases, there are still executives who view security as a cost of doing business or as a simple risk reduction exercise rather than as central to business strategy and a crucial point of positive differentiation.
Beyond the boardroom, employee metrics such as staff retention and attrition rates and eNPS scores are powerful indicators of whether or not a security culture is delivering in practice what it promises in theory. Even with executive sponsorship, attempts to make an organization more security conscious can fall short if those measures undermine rather than add to the overall employee experience.
There are still executives who view security as a cost of doing business or as a simple risk reduction exercise rather than as central to business strategy and a crucial point of positive differentiation.
The relationship between employee experience and cyber risk
The sophistication and frequency of attacks may be increasing year-on-year, but one constant remains. In most cases, a successful breach is the result of human error. When people are under undue stress or pressure, if they don’t have access to the right or sufficient resources, or if they are trying to work within a negative or unsupportive environment, they are less likely to be focused and engaged and more likely to make mistakes that open the door for attackers.
In the current economic environment, many organizations find themselves operating under increased pressure, whether that pressure is caused by a search for sustainable growth or to lower operating costs. Unless there are ways to reduce some of that pressure, you are increasing the risk of falling victim to a successful breach. Indeed, reducing pressure on in-house operations and bringing costs under control are two major reasons why many organizations will be assessing and comparing outsourcing experts.
And this is why part of any assessment needs to include evidence of long-term investment in employee experience. From a cybersecurity standpoint, a positive employee experience mitigates risk. Engaged employees are more focused, less likely to make errors resulting from distraction or a lack of care and are more likely to follow protocols or adhere to processes. Crucially, they are also more likely to remain loyal to the organization and, within the context of day-to-day operations, have the confidence to immediately report an error when it does occur.
This is a key point of differentiation. Organizations that are focused on security can inadvertently create a working environment where mistakes feel stigmatized or where blame and accountability become conflated. Instead, the key to minimizing cyber risk is to create a supportive, inclusive working environment that balances positive reinforcement with enforcement of consequences.
Do your homework
As such, the employee experience is also a critical element of any organization’s approach to delivering a safe and secure work-from-home environment.
Unlike in the wider business world where large-scale remote working is a relatively new phenomenon, within the BPO industry, maintaining a floating secure network of remote agents has been a key element of resource deployment and effective customer experience delivery for many years.
Nevertheless, today its significance — as an aspect of CX delivery and of attracting and retaining the right talent — has grown significantly and any potential partner needs to provide evidence they can support remote operations, at scale, across business functions, without increasing security risk.
Protecting against remote possibilities
In terms of digital tools or protocols, every leading BPO provider will have a slightly different approach to securing remote work, but the result must be the same — a best practice solution.
In addition to providing a secure network with end-to-end data encryption, whether the data is being shared or stored, it means endpoint management that can lockdown any device remotely connected to its networks so that a computer can be converted, when necessary, into a dumb terminal. In practice this would mean automatic disabling of functions such as copy and paste, file transfer, browser, hard disk or USB port access.
The organization’s IT function should also have the capability to autonomously monitor the health of all network-connected devices and forcibly execute software, application or antivirus updates.
There should also be a robust system in place for identifying personnel. Ideally, this will be via a multi-layer multifactor authentication process that further includes geo-fencing and alignment of access permission or denial to historical shift patterns.
Maintaining a cultural consistency
In this regard, any potential partner will also need to demonstrate how it provides leadership, support and recognition for employees who work permanently or predominantly off-site so that they are just as culturally aligned and therefore engaged in following protocols as their on-site colleagues. When fully remote or hybrid working are key elements of business operations, those operations can only be considered sufficiently robust or sustainable from a security standpoint when there is no disparity in the employee experience for those who work on-site and those who work off-site.
Action list
Validate the implementation and support of a strong security culture.
Confirm direct reporting of security functions to the C-suite and prioritization of security strategies.
Review long-term employee metrics like retention and eNPS to gauge workplace satisfaction.
Determine if the organization is recognized as a leader in employee experience.
Examine methods for delivering security-awareness training to employees.
Ensure best practices for securing remote workers are followed.
Check scalability of remote operations across business functions.
Explore management strategies for predominantly off-site teams and individuals.