White paper Customer-first security: What it is and best practices for success

White paper
Customer-first security: What it is and best
practices for success
It’s always been important for Chief Information Security Officers (CISOs) to deliver value to the company’s
bottom line. But new demands are raising the bar much higher for CISOs.

Page 1 of 5 www.fujitsu.com
White paper Customer-first security: What it is and best practices for success

Why Read This Paper:

It’s always been important for Chief Information Security Officers Without customer trust – the foundation for a
(CISOs) to deliver value to the company’s bottom line. But new
company’s brand and reputation – no organization
demands are raising the bar much higher for CISOs.
can stay in business for long.
The key to meeting those demands, retaining customers, growing
business and keeping organizations secure lies in recalibrating The elements of customer trust-based security require digital
security strategies for more integrated, big-picture thinking. It means oversight and risk management, not just technology.
keeping customer needs and business goals front of mind. It requires Growing proportions of consumers have indicated they do not trust
making better use of data for more proactive security insights and organizations with their data. In the consumer space, studies have
faster response times, as well as understanding the risks to customers shown that loss of trust can lead users to abandon a brand after a data
so you can better prepare security programs for success. In the pages breach. For that reason, CISOs must take reputational risk seriously and
ahead, this white paper explores how you can achieve those build a risk management framework that sustains evolving business
objectives. models while also building and retaining customer trust. This requires
technologies, people and processes that ensure availability, reliability,
Introduction integrity, confidentiality, privacy and safety, as well as resilience. But it
The volumes of data generated today are exploding. More and more requires the right mindset as well.
functions that were once managed in-house are moving into the
cloud, meaning more of an organization’s data extends well beyond Prioritizing trust means embedding a data privacy and security mindset
traditional technology borders. This extended enterprise increases the organization-wide, not just in IT. It also means focusing on the ROI of
already-massive potential for data leakage, data loss and regulatory your security strategies by proposing security objectives that protect
compliance issues. Meanwhile, new data regulations are creating reputation, help reduce everyday operational costs and increase
additional requirements to protect privacy and security. customer trust, as these all support business retention and expansion.
Business relies on trust, and trust requires security.
These changes mean the threat landscape is continually evolving,
making it hard for preventive measures to keep up. For CISOs, the As security becomes ever more integrated into the successful running of
pressure is on to make sure responses are immediate and are focused a business, CISOs must map everything into a business context that is
on protecting the best interests of their company’s customers. relevant to the board and shareholders, while at the same time
avoiding issues that are relevant only to IT decision making. This shift in
At the same time, C-suite executives understand ROI, not IPS thinking delivers benefits beyond security alone. It makes it easier for
(intrusion prevention systems). They want CISOs to view information organizations to work better, innovate faster, deliver projects more
risk as a business challenge, and to address that challenge as any quickly at lower costs, and delight customers. In short: it’s a must for
other part of the business would do. That means defining security in digital business.
terms of tangible business value that can be measured.
Roadmap to intelligence-led security and customer trust
For you as a CISO, all of this means new responsibilities. You need to In the emerging era of digital business, the traditional approach to
not only keep your company secure but also prove the business value security is no longer enough. Today, managing risks means paying
that your team creates. attention to a vast amount of security activity and data – internally,
across networks and in the cloud. That information can say a lot about
past, present and future threats, and about how to make the best
The organizations best positioned to succeed in
possible decisions for the business and its customers.
today’s fast-changing environment will be those
where security is part of the culture
Making sense of such data requires an organization-wide recognition of
security’s importance to the company’s success. It’s all about gaining an
That’s because the organizations best positioned to succeed in today’s enterprise view, a big-picture vision of security that produces a more
fast-changing environment will be those where security is part of the nimble, resilient and customer-focused business. It ensures that
culture, where it aligns with enterprise goals while keeping customer security is in your DNA.
needs at the forefront at all times. In short, security must show how it
How do you enable such a shift? While a risk-based and intelligence-led
adds customer value to contribute to the organization’s bottom line.
approach to security requires continuous effort and adjustments as
circumstances change, the following roadmap will help get this strategy
What’s the key to meeting these challenges?
under way:
It comes down to recognizing that security involves far more than
technology. A truly effective security strategy ensures the business can 1. Start with your business goals. This involves answering questions
deliver its products and services in a way that customers trust – not such as, ‘What is my organization’s reason for being?’, ‘What is it
just for the value of security alone, but also for a positive business trying to achieve?’, ‘What problems does it solve for customers and
impact. Without customer trust – the foundation for a company’s how does it do this?’, ‘What is the customer experience like?’ and
brand and reputation – no organization can stay in business for long. ‘What about those customers’ customers?’ Once you’ve clarified
what it is you’re trying to achieve, you can begin planning how to
get there.

Page 2 of 5 www.fujitsu.com
White paper Customer-first security: What it is and best practices for success

2. Then think about how security enables these goals. What data is By considering many different aspects of security and risk
used or generated in the course of pursuing these objectives? How management, these steps pave the way for better, more insightful
does that data need to be protected? What systems and practices and more business-aligned security. They also underscore how
are needed to make this happen? Be sure to consider not only data security in the digital age is about much more than technology alone.
provided by customers but data that’s produced and used during To be sure, CISOs following this roadmap for transformation also need
development, manufacturing and shipping, as well as during daily to watch for gaps that need fixing. But building a security culture
operations. It’s also important to think about how the customer that’s always watching for risks and ways to manage them is vital.
experience relates to data security and privacy concerns. Once these objectives and measures are in place, it’s also important
to continually assess whether they are still right as the security
3. Building on this, identify your security objectives to enable the
landscape and business needs change, to avoid these measures
larger business goals. Think about the new capabilities you’ll need,
becoming irrelevant.
and what kind of governance will be necessary to ensure new
processes are properly managed. Pay attention to data
requirements for regulatory compliance, too. These can vary, It’s critical that all relevant stakeholders are
depending on the markets and regulatory regimes in which your
involved, because their trust – whether it’s
business operates.
shareholders, employees, consumers or someone
4. You should also think about other projects, programs and
applications that could come into play. For example, if one of your else – is essential to business success.
organization’s goals is to become more mobile-friendly for
customers, how could the introduction of new user apps affect
What’s in it for you? How business-aligned security helps CISOs
compliance with data privacy and protection regulations in
Aligning security strategies to wider business objectives makes life
different markets?
better for CISOs in many ways. It builds greater awareness of the
5. Another key step is to identify potential stakeholders who might importance of security across the business and can help pave the way
have a say in your security transformation. Who needs to be for the creation of security champions across the organization by
consulted or informed? Whose support is needed? Who will be linking effective security to business success as a whole.
responsible and/or accountable? These could include everyone from
internal marketing teams to outside technology partners, Among the benefits you’ll discover:
equipment manufacturers and app stores. It’s critical that all
relevant stakeholders are involved, because their trust – whether • Wider organizational support – Better, big-picture understanding
it’s shareholders, employees, consumers or someone else – is also makes it easier to communicate concerns with other business
essential to business success. stakeholders, which improves the potential for cooperation. This
provides better context on how security issues affect different parts
6. Then think about what other actions are needed to ensure your
of the business. In addition, wider support for security matters
security goals are met. For instance, the rollout of a new customer
makes it easier to get buy-in for awareness campaigns, training
app in regions covered by the EU’s General Data Protection
and prevention programs… and other investments. There’s a
Regulation might require your organization to designate a Data
mistaken notion that CISOs alone are responsible for organizational
Protection Officer if you don’t already have one, or to set up new
security, when in fact everyone in the company must play a part.
consent mechanisms for app users.
• Simplified security – Many businesses deploy far more security
7. From there, establish the specific outcomes you’d like to achieve
technologies than they need because of siloes across different
while working toward your business and security goals. For
departments, business units and office locations. Approaching
example: 50,000 active app users with the right levels of privacy,
security holistically allows for businesses to determine the best
safety and security by the end of the fiscal year.
approach that fits with their enterprise architecture, but it can do
8. As you follow this roadmap, be sure to consider how achieving more than streamline technology, too: it can also pave the way for
your goals and outcomes might affect the maturity of your automation, freeing people to concentrate on more rewarding,
security operation. For instance, driving rapid adoption of a new innovation-focused activities to drive competitive advantage. While
consumer app could require the hiring of additional developers and transforming security operations can be complex and challenging,
the adoption of faster development cycles. the longer-term result is simpler, smarter and more efficient
security.
9. Finally, decide how your security organization will track and
measure progress toward achieving business goals. By linking • Better insights for planning – A more business-focused approach
security KPIs to wider company objectives, you ensure that security to security also makes it easier to fine-tune strategies for an
and business strategies are well aligned. Say your business is organization’s unique needs. This enables security to become more
launching a new B2B e-commerce site and aims to sign up 1,000 mature and forward thinking, rather than ad hoc. Setting targets –
new clients over the next 12 months – the security team could “We want to be here in three to five years” – is an essential part of
monitor a related metric, for example, by tracking how many of this. Of course, circumstances will change over time, so this process
those users opt to use biometrics instead of passwords to log in. must remain flexible and adaptable for continuous development.

Page 3 of 5 www.fujitsu.com
White paper Customer-first security: What it is and best practices for success

• Budget benefits – By demonstrating how security contributes to

improved revenues and other benefits, you will find it easier to While transforming security operations can be
make your case to executives during budget planning and to gain
complex and challenging, the longer-term result is
support for security investments from business stakeholders.
Focusing your cybersecurity strategy on customer trust also simpler, smarter and more efficient security.
promotes support for greater funding for technologies to attract
and retain customers. Future security and the next generation of CISOs
All of the steps outlined above represent a work in progress. Security is
• More recognition of security’s value – Board-level executives want
a continually evolving process. It’s never “done”. However, that doesn’t
to know the business impacts of security risks and investments.
prevent you from moving forward. Ideally, you should focus not just on
When CISOs can go beyond the usual technical topics and
where you’d like to be today or a year from now but on where the
communicate what security does in terms of risk management,
business should be over the longer term. That’s vital for companies to
brand protection, customer trust, privacy, data governance, third-
remain viable, successful and profitable in tomorrow’s more digital
party management and more, they demonstrate its value to wider
and connected society.
parts of the business.

These are all concrete, real-life returns on investment for CISOs who The next generation of CISOs must move closer to business
choose to transform their organizations. management. It needs to fundamentally understand industry business
processes, regulations and risk beyond just technology.

There’s a mistaken notion that CISOs alone are Making security a priority involves not only regular training and
testing – the occasional dummy email to check for phishing
responsible for organizational security, when in fact
awareness, for example – but a constant drip-feed of information. The
everyone in the company must play a part. goal is to get people thinking about security at work as much as they
might at home, where most of them (hopefully) make a habit of
locking their doors, leaving a light on at night and avoiding letting
Overall benefits of business-focused security
strangers in.
C-suite executives have many reasons to welcome a security
transformation too. Businesses where security is everyone’s business,
Building a security culture means cultivating security champions
when it’s well aligned with company goals and customer needs, reap
across the organization, avoiding complacency and “tick-box” thinking,
clear advantages in the emerging digital environment.
and fostering an environment where people aren’t afraid to report
mistakes. It also requires nurturing a diverse security team with a
Improved security thinking means fewer breaches. When breaches do
range of abilities and talents – people skills, technology skills,
inevitably occur, it means faster response times, fewer (or less severe)
communication skills, business skills and more. So think about in-
negative impacts, better lessons learned and improved resilience.
house apprenticeships and partnerships with educational institutions
and professional associations.
This means businesses are more compliant with data privacy and
security requirements, and face fewer regulatory fines and fewer
Most of all, look for people who can step into the CISO’s shoes down
damaging news headlines.
the road and who share your vision of customer- and business-focused
security. Whatever changes the future brings, your organization will
In addition, organizations where security is baked in encounter fewer
always need to protect customers’ best interests.
stumbles in new projects and initiatives. When development of new
products and services takes security into consideration from the start,
Conclusion
there are fewer “back-to-the-drawing-board” delays. This speeds up
Today’s security demands are vastly different from those of the past –
time to market, helping businesses move faster than competitors.
and they’ll keep changing with the emergence of new technologies,
new business models, new threats and entire new industries and
Intelligence-led security ensure that customers’ needs. Nevertheless, the fundamental role of business security will
always remain the same: to ensure and retain the trust of customers
data, privacy and security are taken seriously. This
and other stakeholders so the company can stay in business and
cultivates trust and contributes to the company’s continue growing.

brand and reputation. It encourages customers to

To embed this mindset in your organization, remember the following:
remain customers, rather than looking for
• As a CISO for this digital era, you must manage information risk
alternative places to do business.
and focus relentlessly on the customer if you want to maintain
budget and authority, and gain relevance. Focusing on risk and
Last but not least, all of the preceding benefits of intelligence-led
customer needs is also essential for gathering, analyzing and
security ensure that customers’ data, privacy and security are taken
understanding the right cybersecurity metrics for your business.
seriously. This cultivates trust and contributes to the company’s brand
and reputation. It encourages customers to remain customers, rather
than looking for alternative places to do business.

Page 4 of 5 www.fujitsu.com
White paper Customer-first security: What it is and best practices for success

• Focusing on overall business goals and customer needs lets you

The fundamental role of business security will always
demonstrate the value of security and contribute to the company’s
bottom line. Beyond technology, security requires digital oversight, remain the same: to ensure and retain the trust of
risk management, intelligence, insight and transparency. Enable
customers and other stakeholders so the company
this through centralization for a single-pane view of activities,
needs and risks, and by embedding security thinking into can stay in business and continue growing.
everything your company does.
Ultimately, your goal as a CISO is to help everyone in the company –
• Security is never done – it requires continuous effort to build
from the CEO and executive board on down – to understand that
awareness and adapt as needs change. However, you’re not alone:
security is a business enabler, and that it’s not just a cost center but a
security concerns everyone, so you have an entire organization of
revenue generator. It’s the opposite of being the security leader whose
potential champions who can contribute to the effort.
only answer is “no”, which makes it hard for others to see you as a
• Paving the way for future security requires planning, adaptability, business leader. You demonstrate real leadership by getting in front of
flexibility and diversity – tomorrow might bring new business your organization and showing how you can increase revenue and
models but it won’t change the fundamental raison d’etre for profitability.
businesses: to serve customer needs. What’s more, customer-
focused security is good for everyone else as well – CISOs, security
Want to learn more about how to transform security for a greater
teams, product development teams, other stakeholders and the
focus on customer and business needs? Fujitsu’s approach to
business in general – because it keeps the focus on human needs.
intelligence-led security can help with advice, monitoring services,
• While security involves far more than technology alone, technology infrastructure services and more. Visit www.fujitsu.com/emeia/
is a great enabler. Thanks to the cloud and as-a-service options, themes/security/ , contact us at +44 (0) 1235 79 7711 or email
solutions are easier, more affordable and more accessible than ever [email protected] to learn how to get started today.
to businesses of all kinds.
FOLLOW US on LinkedIn and Twitter @FujitsuSecurity

About Fujitsu Security

As a global security service provider, Fujitsu provides security and resiliency solutions across the full IT delivery lifecycle, integrated within the operational, service and security
framework within an organization; Fujitsu is an extension of in-house security capabilities. The diversity of customers and partners that we work with gives us an in-depth
understanding of differing security requirements across industries and geographies, while our advanced threat capabilities provide a comprehensive view of the ever-changing
cyber threat landscape.

We leverage 40-years of experience and investment in cyber security R&D to bring new ways of thinking. This means intelligence-led solutions to cyber security challenges– all
delivered to the highest security standards – helping customers build a cyber security capability that demonstrates true business value and enables business innovation.

Our wealth of intelligence and experience allows customers to be predictive and proactive, and our consultancy services and solutions keep you ahead of new and unexpected
threats. All of this means that you can be primed and ready to mitigate risks, helping your business focus on opportunities to create value – securely.

Here’s why you should consider Fujitsu:

• Fujitsu has achieved recognition from Gartner, the leading independent analyst firm, as one of the global leaders in Managed Security Services
• Our holistic approach to security works to combine human intelligence, through our highly-skilled analysts, with technical intelligence using Machine Learning, advanced
analytics tools and best-of-breed security technologies to deliver 24/7 support
• Thanks to our intelligence-led approach, we provide tailored solutions, giving you the ideal response to constantly shifting security challenges
• The strength of our proven experience, vendor relationships, and global scale means that we’re well placed to optimize your approach to security, and provide real-time
intelligence and visibility on the state of your IT environment
• We offer security services that meet compliance demands and align with security policies such as PCI DSS, ISO 27001/2, SOX and ISO22301:2012.

For more information, please visit https://www.fujitsu.com/global/themes/security/

Contact Copyright © 2019 Fujitsu. All rights reserved. Fujitsu and the Fujitsu logo
Ask Fujitsu are trademarks or registered trademarks of Fujitsu Limited registered in the
+44 (0) 123 579 7711 United States and other countries. All other trademarks referenced herein are
[email protected] the property of their respective owners. The statements provided herein are
@FujitsuSecurity for informational purposes only and may be amended or altered by Fujitsu,
Ref: 3938 without notice or liability.

www.fujitsu.com/global

Page 5 of 5 www.fujitsu.com