Working on the growth team at Castle, I’m often in touch with stakeholders for consumer identity that have varying backgrounds. Every CISO, Security and Customer Experience (CX) team member I connect with truly has a vested interest in protecting their users’ accounts. Without account security, their roadmap, reputation and customer base is on the line.
Many teams within an organization (Security, Fraud, and Customer Experience) share responsibility for protecting the consumer identity. It’s at the core of many functions within a company from pure security to revenue and sales. However, each team has different metrics where the priority and risk tolerance can vary greatly. This can lead to different tracking and policies which can cause misalignment within the organization.
What Are These Different Metrics?
Keeping Out The Bad Actors
From the security team’s perspective, if no bad actors are coming in, everything is working as expected. Security teams’ core metrics rely on blocking malicious activity and bots from accessing their site or application. Blunt instruments like Web Application Firewalls (WAFs) or legacy bot detection methods successfully prevent obvious threats, such as DDoS and OWASP Top 10, but more sophisticated attacks often fly under the radar. Their application is too broad and false positives can be experienced by legitimate users.
If you’re on the fraud team, you’re doing your job well when losses remain low and stable. Fraud teams frequently rely on audit reports to identify account takeover (ATO) fraud but these reports are difficult to parse and derive value. The analysis is oftentimes done days, weeks, or months after a fraudulent activity has occurred and resolution requires a lot of manual work to complete. In fact, 2019 research from the Ponemon Institute suggests the average time to identify and contain a breach is 279 days, and during that long time period of exposure, many consumer accounts could have been fraudulently taken over. With data breaches being difficult to detect, subsequent fraudulent activity resulting from breached credentials can run rampant and unnoticed for long periods of time. With these metrics, there’s a lag in time between when the fraudulent activity occurs and when the root cause is identified. During this lapse in time, further fraud may occur or news of the breach may be leaked to the press.
Fraud teams’ work is crucial in digging deeper into the issue, but tools are needed to allow them to quickly identify and remediate an ATO incident.Traditional fraud tools oftentimes are inflexible and not fast enough to keep up with modern threats. In addition, fraud teams need to outsource remediation workflow with other teams, such as CX teams, to secure those accounts as soon as possible.
Looking Out For The Customer
For CX teams, such as product and application engineering teams, the customer is always right despite the fact that they may engage in bad security practices. Examples include reusing the same password all the time or sharing their account with others. CX teams focus on the user experience and making the application as easy to use as possible. However, when ease of use isn’t balanced with security, apps are left open to vulnerabilities. The UX may be smooth, but if the consumer identity is compromised or there is too much security friction, the user ends up with a subpar experience leaving them frustrated and likely to churn.
Reliance on support tickets provides limited data about the customer experience. They may not show the full picture of the consumer identity, exactly how many customers are frustrated or how it affects the organization as a whole. Because customers may not have the ability to provide complete information about their issue, like being locked out of their account, the lack of bilateral communication between the customer and the support team can greatly slow the remediation process.
Why You Need to Bring It All Together
All three teams want the same end result but approach the problem differently. WAF metrics don’t show jammed support queues or user dropoff. Delayed fraud reports may not show commonalities in attacks and support tickets don’t always tell the full story. Varying systems, policies, and tracking can lead to frustration among teams when everyone is relying on different data to tell the same story. Here are some things organizations should consider:
Align data across teams
With access to the same system that includes data of compromised accounts, detected threats, and login activity, teams can view the consumer identity from a high-level like login activity trends or drill down to an individual user account activity for further investigation. I've typically seen companies consolidating their data in Datadog or SIEM tools like Splunk or Sumo Logic to help all the teams work together under one roof. Make sure all your security and fraud tools support the ability to push their data like this. When teams have access to the same information, it’s easier to work together to protect the consumer identity.
Measure what matters
Security, Fraud, and CX teams need to come together and identify the key metrics around the consumer identity. Whether it’s a reduction in false positives, support tickets, or fraud investigations, rallying around these metrics allow for each team to have ownership in the consumer identity. When the data driving these metrics is accessible to all the relevant stakeholders, there’s less opportunity for misalignment between teams and a clearer understanding of the consumer identity emerges. We’ve seen some customers use solutions like Amplitude or Google Analytics to understand conversion metrics.
Timing is everything
With access to data and the ability to act in real time, companies can switch from a reactive security approach to a proactive approach. Solutions like Splunk work in real-time, but don’t sit inline. They’re best paired with risk-based authentication tools that can verify identity and automate account recovery to allow customers to self-heal. With these solutions in place, security operations teams don’t need to manually review threats and support teams don't have to reach out to each compromised customer. As a result: time is saved, threats are mitigated, and the consumer feels protected.
Finding The Right Balance
When metrics are shared and measured on one system, the consumer identity strategy is more clear and measurable. With this approach, the needs and priorities of related teams are balanced. Security teams can ensure the right security policy is applied at the right time while ensuring the perimeter is safe. Fraud teams can prioritize other projects and customer support teams can continue to provide timely service to their customers. When everyone is using the same data and aligned on metrics, both the company and their users win.
When I speak with customers today about aligning metrics and goals between these three teams, they realize they can optimize their current security investment as well as get faster time to value. All of these cost savings and optimizations make it critical for their business to thrive, when time and money is more valuable than ever.