Skip to Main Content
November 06, 2018

What Information Security Can Learn From the Hospitality Industry

Written by Rick Yocum
Incident Response & Forensics Program Assessment & Compliance Remediation Assistance & Training Security Program Management Security Testing & Analysis
The Information Security industry has a lot in common with the Hospitality industry. Both industries are service oriented, high volume, and built on trust. As with all services founded on trust, establishing and maintaining healthy relationships is critical for success. Strong relationships can do a lot for a security program. They can garner additional funding and support, they can provide additional security champions amidst the workforce, and they can help detect potential security issues. The hospitality industry has been using the following principals to foster relationships through an intense focus on individual interactions for years, making them a perfect place to start if your goal is to enhance existing relationships.  

Genuinely Care

Remembering that you are part of a service organization can be difficult. Although simple in theory, the trick is remembering that you have multiple related objectives that you need to simultaneously care about. Servers at restaurants have multiple customers who all have unique orders, questions, and concerns. The best servers listen intently, respond genuinely, and consistently make customers feel heard and important. At the same time, these servers have a kitchen that they need to support. They guide customers towards specials when possible, and politely work with customers to redirect any requests that would hurt the kitchen into orders that the kitchen can handle. Similarly, Information Security practitioners should make a habit of handling individual customer needs attentively, frequently suggesting the department’s preferred solutions, and working with customers to find alternatives to requests that would be detrimental to the organization’s security posture. For instance, if somebody requests administrative access to a sensitive system, it’s easy to say no and move on, but it’s often more effective to understand the reason for the request so that the challenge can be resolved without providing administrative access. Think of the best service you've received at a restaurant. What made that experience special? Work to replicate that in your team’s interactions.  

Be Present

Being greeted and seated by a host/hostess and asked about your experience by a manager are fairly standard restaurant experiences. These experiences are designed to introduce you to multiple individuals who can assist you, should you have an issue that cannot be solved by your server. Do your information security customers have multiple channels they can use to escalate an issue? Do you periodically check in with counterparts to understand their experiences with information security? Do you walk over to talk to people in person instead of just calling or messaging them? Again, think of restaurants. Most of the nicest ones maximize the interactions you have. They greet you. They hand-deliver a menu. They ask about your experience. Think about where you can add personal interactions into your service and it will increase customer satisfaction as well as your service awareness.  

Be Flexible

Although not every request can be accommodated, successful restaurants ensure that their staff understand common customizations that can be accommodated and consistently apply these rules to orders. If a staff member is unsure, often they will step into the back, confer with a manager, and return with a solution or an alternative. Ingredient substitutions, timing requests, seating changes, these are all common modifications that are often accommodated within reason, albeit sometimes with a slight upcharge or service delay. Like a restaurant, the best information security programs anticipate common customizations, and have quick processes for getting answers from leadership and/or the larger Information Security community on less common customizations. Additionally, they will allow customizations if reasonable, and they will help find alternatives if a specific request cannot be met. How does your team approach non-standard requests? Are they discarded outright or are they anticipated, individually assessed on their merits, and redirected if unreasonable? Do you have an adequate support structure (internally and externally) for identifying whether atypical requests should be accommodated, and is your team empowered to say ‘I don’t know’ when they need to poll this support structure for information? Although not all requests can be accommodated, the more you do to try to satisfy the customer’s unique needs without sacrificing the quality of the program, the stronger your program will become.  

Eat at Every Table

Have you ever been seated at a table in front of a window with an extremely bright light shining at you? Or directly under a strong air conditioner? Or uncomfortably close to a restroom? These situations can ruin a dining experience even if the service is strong and the food is great. Savvy restaurant owners will take the time to try eating at each of their tables at least once so that they are aware of the customer’s experience. Do you have different end-points in your environment? Do you have different security configurations for different types of workers? Are you exempt from any of the rules that you enforce across the organization? If any of these are true, you might want to spend some time working under the configurations that your customers work with. You might find that an experience is unreasonable, priming your future interactions with customers to be negative. Alternately, you might find that a configuration you thought was protecting the organization is easily circumvented when paired with the other unique configuration elements possessed by a specific type of worker.  

Keep Customers Front-Stage

Most restaurants have a very distinct ‘front stage’ and ‘back stage’. The front stage is the greeter, the bar, the dining area, the restrooms, etc. The back stage is the kitchen, the administrative offices, the freezers, the storage closets, etc. To have a great dining experience, your customers don’t need to be exposed to the technical details around your service, they only need to be exposed to the end result. If you were at a restaurant and witnessed a screaming match between two employees, it might be a bit entertaining, but it might also lower your impression of the whole experience. The best dining experiences are calm, consistent, and crafted so that customers have all the information they need and none that they don't. Work to tune your operations accordingly. A disagreement on the technical merits of different approaches is great behind the scenes, but in front of a customer only serves to diminish their confidence in the end result. If somebody wants a ‘behind the scenes’ tour, feel free to give one, but most customers are only interested in their current request, so keep those requests the primary focus of their experience. At the end of the day, both the hospitality and information security industries are built on trust, and a huge part of trust is establishing relationships. The restaurant experience has been refined over hundreds of years to help ensure that every interaction helps maximize the trust a customer has in the overall establishment. Build enough trust and you will see repeat customers who are often your best sources of feedback and advertising. Organizations are hungry for Information Security services. Try applying some of these principals to your program to help ensure they end up satisfied.