Akshay Shetty, Deputy CISO at Guidewire Software, discusses the importance of transparency in cloud product/service providers’ security functions to build trust with customers. He believes that understanding these functions can help customers effectively fulfill their responsibilities within a provider’s shared responsibility model. Shetty emphasizes the need for providers to describe their security functions in an easily understandable way for customers.
Shetty has led security programs at companies that have transitioned from on-premise to cloud-based systems, giving him insight into effectively communicating security programs to customers. He has developed a framework for structuring security programs that align with a customer’s journey when adopting and operationalizing cloud products/services. This framework outlines the stages of a typical customer journey: Awareness, Consideration, Onboarding, Retention, and Advocacy.
In order to align security activities with the phases of the customer journey, Shetty recommends specific security actions that can be taken by product/service providers. For example, during the Awareness phase, companies should maintain a trust page on their website and develop toolkits to help customers navigate security and compliance requirements. In the Consideration/Acquisition phase, providing live walkthroughs of security features and responding promptly to security inquiries are important steps.
During Customer Onboarding, companies should document and publish security best practices, and provide guidance if customer implementations deviate from secure reference architectures. For Customer Engagement/Retention, ensuring secure operations, compliance with industry certifications, and assisting with customer security audits are key. During Advocacy, participating in security forums, publishing industry research, and collaborating with customers on security strategies are recommended.
Shetty concludes by emphasizing the importance of building customer empathy into security programs to achieve business objectives and deliver customer success. He encourages businesses to leverage his framework and align it with their own security functions, or require third-party vendors to do so. By focusing on shared security responsibilities and enhancing customer understanding, businesses can strengthen their security programs and build trust with customers.
