What Information Security Can Learn from Waiting Tables

Sunday, August 12, 2012

Robb Reck


Effective business requires effective customer service. This is true whether you’re in retail, manufacturing, services, education, or anywhere in between.

What makes an organization effective is in knowing what their customer-base needs or wants, and providing it to them in a manner that satisfies the customer.

Too often in corporate America, the information security department seems to forget this important lesson. We are only as valuable as the service we give to our customers. For many of us, our primary customers are internal. The business leaders, the IT department, our vendors, and many others are the customers who are served by the corporate information security department.

Below are a few tips we security professionals could stand to learn; from a profession that must provide excellent customer service if they want to make a living.

Tips from a waitress

  • “Smile! You’ll get better tips.” First of all, try to be nice. Yes, we live in a world where hackers are trying to break into our networks RIGHT THIS MOMENT. But, if we’re going to work effectively in the business environment, we need to learn to take a deep breath and smile. People want to work with friendly people. Just like you don’t like a waiter who is in too big a hurry to acknowledge you as a person, our internal customers want to believe that you see them as an individual, and give them the respect they deserve. By slowing down and making sure we take time to acknowledge each person’s unique role we not only will seem happier, we’ll actually be happier.
  • “You provide the options and the prices, they make the choice.” Just like a customer gets to pick what to order off the menu, the business gets to decide what kind of security they want. Yes, we know that your favorite super-expensive SIEM could provide outstanding assurance, but not every company has the same needs. Let your organization know what the options are, what it’s going to cost them, and the ramifications of their decision, then let them make the decision.
  • “Be ready to provide recommendations.” Have you ever asked a waitress to order for you? I have, and I’ve almost always been very happy with their choice. I know that the waiter knows the menu better than I do, and there are times that I just want the specialty of the house. That said, I sure don’t want the waiter to pick for me without me having asked first. In the same way, we security practitioners should be ready with suggestions about how security should be implemented, but let the customer prompt us. They may know better than we do what they need.
  • “Know your menu, but it’s okay to take questions back to the chef.” Yes, we security folks need to be highly technical in order to be effective. We have to be able to intelligently discuss dozens of technologies, from networking, to systems, to physical security. While we need to be able to discuss those, there is no shame in receiving a question, acknowledging we don’t know the answer, and going to do the research to find it. I don’t hold it against the wait-staff if they don’t know all the details of their menu, but it sure is pleasant when they are willing to go the extra mile to dig into my answers, providing that extra value.

Information security is no less about customer service than waiting tables. While the financial reward in a restaurant is much more immediate (will they leave a 10% tip, or 25%?), it exists equally in both worlds. If you aren’t meeting the needs of your customer, eventually you’re going to find that you don’t have any customers left to serve.

Cross-posted from InfoReck

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Best Practices Information Security Infosec Professional vendors Customers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.