(Originally posted on the Security Innovation Blog)

##Security Innovation’s manifesto on being a trusted advisor

Each client has different backgrounds as well as a different depth of knowledge, experience, comfort, maturity, and trust. As trusted security advisors with genuine and heightened passion for helping our clients fundamentally improve their processes and build internal expertise, we take pride in delivering customized solutions that meet each company’s needs. At its core, this goes beyond simply setting and meeting expectations reliably.

We do this by:

  • Building trust - this is achieved by being dependable and professional and demonstrating that we have the customer’s best interest in mind
  • Fostering Education - ensuring that we transfer any internal expertise of the problem to the customer in a way that they can understand and repeat in the future

##Building Trust

Building trust allows us to help our customers in meaningful ways and facilitate their ability to build internal expertise and operational maturity. As trust is galvanized, customers realize that we are more than just a service provider and that we truly become a member of their team during the engagement, providing recommendations and insights as if we were actual employees. This creates loyalty on both ends as we realize that both parties are looking to achieve the same objectives in the most effective and impactful way possible. This makes it easier and more comfortable for our clients to proactively come to us with more challenging issues because they know we have their best interest in mind.

Once we have built trust with the client, we often engage in conversations and engagements that help them mature their processes, which is the backbone of a an effective Application Security Program. Depending on how much the client knows about application security, we adjust our technical conversations up or down. On one end of the spectrum, we may be teaching, leading and providing detailed explanations to help our client build their baseline understanding. At the other end of the spectrum, our experts will spend more time listening, summarizing conversations, and partnering with our client to create more novel solutions to unique issues. A client with less maturity typically needs more of a leader and a teacher. In this case, we need to make sure we understand their specific needs, and it often warrants us recommending a less complex, more turnkey solution due to their less extensive infrastructure and processes. A client with more maturity often needs an architect to solve challenging problems, understand their current process and offer customized and unique solutions.

The manner in which we interact with clients also changes based on the various security roles and stakeholders. For example…

  • CSOs are often concerned with the overall expense or value of the project
  • Engineers and Developers may be concerned that we’ll find mistakes in their code;
  • Security Engineers may be worried that we will identify a lack of proficiencies in their capabilities

Understanding the root of each stakeholder’s concern helps us adjust the language and tone of our conversations. In turn, this yields more open and trustworthy communication.

Lastly, we always keep in mind that trust needs to be earned and sometimes grows more slowly than anticipated. We do not expect it to happen over-night or to be implicitly trusted by the client, but we are always driven by reaching our goal of complete trust.

##Education and Knowledge

When communicating with our clients, it’s important that we phrase our conversations appropriately so what we do not incorrectly assume something or miss out on an opportunity to have more detailed follow up conversations. Depending on how much our client already knows about application security, we fine-tune our teaching, explaining and leading techniques. This ensures that our clients always have at least a baseline understanding of security and equips them to be a more active participant in future decision making. It is important to help improve our client’s knowledge so they can become a partner in improving their security posture. As our clients become more knowledgeable about application security, our conversations often change to a more collaborative conversation. At this point, the client may have a solid understanding of certain facets of security and is encouraged to play a greater role in the decision making process.

If a client has a solid understanding of security and process, they may also have a good understanding of how to solve their problem. In that case, our relationship changes from a leader/teacher role to a partner role. As a partner, we may be asked to help play an equal part in the problem solving and remediation process. In these situations, where we do inject our expertise, we do so in a manner conducive to continued learning.

Our goal is ultimately to teach our clients as much as possible without overwhelming them. Key to this is helping client’s reduce stress and solve problems around security. We avoid compounding our client’s existing challenges by expecting them to learn or know as much about security as we do.

…After all, that is why we have been contracted

Posted By: Joe Basirico