Blog: CISO Guide - Governance for the Customer Experience

Posted by Ed Ponte
Ed Ponte”
Find me on:

data retention policies by regulation

Your CRM Requires Data Governance Too

Given the wide variety of concerns which are “top of mind” for a CISO, it is easy to overlook what is potentially a major risk to their organization.  In our modern digital-first world, companies seeking efficiency and scale must market, sell, and service their customers utilizing digital channels.  The cloud has rapidly evolved from its’ origin of providing mere applications to providing Platform as a Service (PaaS) and other models of shared responsibility thereby increasing the complexity of identifying, classifying, securing, and monitoring sensitive organizational data.  Adding to the complexity of the challenge is the rate of change in the cloud platforms themselves, in the market conditions of the organization, and in the increased scrutiny of worldwide governments due to massive public breaches and the growing lack of trust in businesses by consumers.   CISOs must take the time to understand the exposure that the cloud-based systems used to deliver their organizations’ Customer Experience (CX) represents to their organization.

An often-overlooked risk is that marketing, selling, and servicing customers utilizing digital channels can at times require the utilization of sensitive customer information to deliver compelling customer experiences.  This is not an edge case when one considers that as of 2018, 89% of companies compete primarily on the basis of customer experience – up from just 36% in 2010 (Hyken).  

Customer Relationship Management (CRM) systems in particular tend to be core applications supporting these activities given the concentration of customer information which has collected within them in their rising adoption over the last 25 years.  A related testimonial to this fact is that Gartner stated in June 2019 that “...spending on CRM software grew 15.6% to reach $48.2B in 2018...” and that CRM software is a quarter of the entire enterprise application spend worldwide.  

These systems tend to contain vital customer and prospect data, interaction histories, preferences, product holding information, and vertically specific information; all of which has the potential to include sensitive information that needs to be properly identified, classified, encrypted, monitored, and protected.

Cloud vendors have done reasonably well in securing the infrastructure of their offerings which can easily lead one to conclude that application and data security is similarly well taken care of.  While this may be true for many Software as a Service (SaaS) applications, it’s highly unlikely to be true in PaaS or Infrastructure as a Service (IaaS) environments due to the shared responsibility nature of full stack security.  One should take note that today’s leading CRMs are PaaS solutions which enable the building of custom applications to meet the continuously evolving omnichannel customer experience requirements.  It is a natural evolution for these vendors, consistent with the evolution of their customers’ market conditions and operating in a digital-first world.

The top CRM/PaaS vendors have also done a reasonably good job at providing instrumentation, security, privacy, and monitoring capabilities into their platforms.  However, it is up to their customers and partners to do the heavy lifting in leveraging these capabilities to ensure their organizational security posture is adequately implemented in the applications running on these platform(s).  In other words, PaaS customers have been provided the bricks (platform capabilities) with which to build the walls which will form their customer experience cathedral.  Application features providing both efficient implementation and monitoring of items such data classification, user/object/field access, event monitoring, and field encryption are typically available but can be extremely time consuming to implement.        

There can be a subconscious tendency to overlook the organizational risk introduced by customer experience platforms given the time and effort required to achieve the desired security and privacy outcomes compared to the timelines being dictated by the external forces of cloud vendors, the organizations’ market(s), and government regulation.  Cloud vendors leverage agility, DevOps, and CI/CD to release multiple mandatory updates each year.  Each release introduces new objects, data fields, and capabilities which must be evaluated against the risk they might cause to the organization.  Customer experience (CRM) systems are at the “tip of the spear” in experiencing and reacting to changes in market requirements.  GDPR and CCPA are both prime examples of international government privacy-related actions with wide-ranging impact which will require remedial actions within many businesses.  While platform capabilities commonly exist to meet all of these change vectors, leveraging those capabilities to achieve the desired security & privacy posture in a timely manner often proves to be impractical.


It is time to investigate both the security and privacy posture of the core systems which deliver the organizations’ customer experience.  These systems often are not as secure as one perhaps thought they might be and their usage across channels will continue to rise over time.   In many instances these systems are IaaS or PaaS based solutions upon which new applications are being developed or purchased. This can leave the CISO thinking of the application legacy of the vendor brand rather than how it is actually being used today and the organizational risk which that usage may entail.


Hyken, Shep. “Customer Experience Is The New Brand.” Forbes, Forbes Magazine, 16 July 2018, Accessed 8 October 2019.

“Gartner Says Worldwide Customer Experience and Relationship Management Software Market Grew 15.6% in 2018.” Gartner, Gartner, Inc., 17 June 2019, Accessed 8 October 2019.

Topics: Salesforce Security & Privacy, Security and Governance, Blog, Security, Governance

Subscribe to the Blog