The technology industry has faced some incredible security, trust and cyber risk challenges over the past few years—including increasingly intelligent external threats and careless consideration for the protection of customer data.
We sat down with Emily Heath, DocuSign’s new Chief Trust and Security Officer to talk about building customer trust in this new information security age. “People don’t like what they don’t trust, and they don’t trust what they don’t understand. So, communication and transparency are key in this role,” said Emily.
At the start of her tenure at DocuSign, Emily laid out four priorities for building customer trust:
Combine physical security and cybersecurity
Emily brings an impressive track record of revolutionizing organizations’ approach to security, stemming from a deep understanding of people and a thriving curiosity in trust. From her early career as a detective on the fraud squad for the UK police force through her time as CISO of United Airlines, she’s learned the importance of combining physical and cybersecurity to protect organizations from threats they face.
“It’s much more than information we are protecting now. Rarely is there a physical security threat without a cyber element attached,” Emily explained. “Combining this expertise on one team gives us a great advantage and allows us to correlate geopolitical intelligence with physical threats and cyber threats, consistently ensuring that our employees are physically safe while our customers’ data is secure and our operations are protected. The skill sets are different in physical and cybersecurity, but the mentality is the same.”
Build trust through transparency
Edelman’s 2019 Technology Trust Barometer shows that concerns about power over information and data privacy significantly contribute to a growing lack of trust in tech, also called Techlash. This is a serious issue that Emily believes security leaders in tech must acknowledge and address directly:
“We are obligated to run toward customer fear, embrace concerns about privacy and do everything in our power to resolve those concerns while being completely transparent with our customers. Making security and risk management a priority in digital transformation projects is critical for any organization to improve and preserve customer trust. Trust is a feeling. It must be earned and it’s fleeting. No checklist can prove you deserve it, it needs to be at the core of what you do,” Emily explained, “Security used to be booted on at the ends. It’s now embedded in dev cycles. Security should be a way of working, built in at the get-go. It should be a part of everything you do as you’re doing it.”
The pathway to trust for any organization, Emily believes is transparency. “Culture can’t be changed without sharing. Telling someone ‘what thou must do’ isn’t a recipe for success,” she said. “Instead, openly explaining both what is needed and why helps the engineer, employee and customer understand and be part of the solution.”
Diversify your approach to security
As the security landscape changes, it’s critical that organizations stay attuned to what security means to their customers, not just to their internal security teams. To do that, Emily believes that organizations need to bring together diverse security teams from all backgrounds and walks of life: “The way you solve cyber problems is by getting a creative group around the table and tackling those problems from multiple angles. Creatively tackling security challenges in multicloud environments also requires a depth of knowledge, so we assemble a team of people from across the board —from Google to AWS and Microsoft. This lets us think vertically and horizontally about what’s happening, and what could happen in the future.”
But building a security team isn’t just about industry experience. Rather than hiring by title, Emily encourages organizations to look for experience that is relevant to the challenge at hand. “I’m a big advocate of honing in on the problem you’re trying to solve and hiring people with the skill sets that can help you solve it, rather than hiring people for their title,” she said. “It’s entirely possible that someone in customer service or finance or an engineer has skills that lend themselves to the security problem you’re trying to solve.”
Emily explains that for any organization wanting to foster a strong security culture, making it as easy as possible for employees to tell you their concerns is key. Positive reinforcement is highly effective as well. “Remember, trust is an emotion. CISOs have to be marketers, too,” she said. “Tell people why. Run protect campaigns, not just abuse campaigns, and make it as easy as possible for employees to tell you their concerns.”
Security made simple
Beyond transparency, security efforts must feel simple if they are to succeed—they should be easy and efficient. “Security should be out of the way, not in the way and it should be easy for the end user to understand, while also solving real security problems,” Emily said. “At DocuSign, we make it easier to do business with us, and our products like CLM afford our customers an amazing level of efficiency. It can take months to go through contract cycles between redlining, storing and tracking. This process is not just inefficient, it’s also not secure. Leveraging the Agreement Cloud keeps your data in one place, which in turn reduces risk.”
At DocuSign, world-class security is especially important to us as we continue to build an award-winning API and need to balance innovation with security.