Skip to main content

Hello, governance: Keeping your PaaS protected

(Image credit: Image source: Shutterstock/niroworld)

I’ve seen the applications for customer relationship management solutions expand significantly over the course of my career. Initially, the CRM was seen exclusively as a tool for sales and marketing. Companies used it to collect, store, and manage their key customer data and sales pipelines — the ol' Rolodex in the clouds. Over time, CRMs have evolved into mission-critical systems driving improved sales and marketing processes while expanding into realms many didn't consider. Many would be surprised to hear their "CRM" also now is the HR system or finance system.

Distinguishing between the terms is important because platforms create advantages that CRMs don’t. CRMs were never designed to maximise the value of each customer interaction. Equally, CRMs rarely were brought into the enterprise with an upfront data governance framework to ensure appropriate controls in place to restrict access, minimise exposure of sensitive data, and deliver accurate and timely compliance reports.

It's an amazing time to find platforms as a service, or PaaS: applications that expand across the business and connect so many customer interactions that were often siloed and lacked context. In a lot of ways, the PaaS solutions feel like the Ferrari of software — products with every feature imaginable, flexibility to meet specific line-of-business requests, and perfect performance to inform data. A Ferrari with flat tires won't go anywhere fast.

The enterprise does have a shared responsibility in PaaS to govern data, people, and the applications themselves, which makes it significantly more complicated than software as a service.

How and why insecurity happens

I recently worked with a client whose experience illustrates the tension between open platforms and responsible cybersecurity.

The client had a CRM product they liked a lot and wanted to utilise for more than just sales. They hoped to streamline their end-to-end operations by integrating more data, including sensitive material like Social Security numbers and private banking information. From a business perspective, this made a lot of sense. But the client’s information security team quickly became a blocker on the critical path as the CRM team hadn't quite gotten to a data governance model. They became the bad guys at the time, but it was due to the lack of understanding in this shared responsibility across the enterprise.

The problem was not that the CRM was incapable of securing sensitive data. As the client’s IT team rightly recognised, without a strategy to secure the incoming data, there was tremendous risk in proceeding in a "trust-us" model. The combined risk of data breaches, regulatory penalties, and bad publicity made it unthinkable to move more data into the CRM without updating its capabilities.

This is a common problem is common that many organisations don't fully understand. If they acknowledge the security risks of integrating more data in one place, data stays siloed and the benefits of platforms never materialise. Conversely, if they overlook the risks and put all their customer data in one place without the necessary protections, they’ve created an unknown liability that could have material downside impact.

Fortunately, this is a problem of planning and communication, not a technical conundrum. Companies don’t have to constrain their CRMs or expose their data. Ideally, your platform is your central repository for sustainable security.

Key steps to secure your platform

I would advise anyone hoping to evolve their CRM into a practical platform to plan extensively on both business application and governance perspectives. With that in mind, work through these steps before migrating more data from more departments onto your platform:

1. Involve everyone: To be truly effective, you need to negotiate important issues around security governance with all stakeholders: information security, CRM evangelists, end users, and the C-suite. It is vitally important that all parties are on the same page and eager to establish the privacy and security standards within the organisation.

2. Define security: This is a two-step process. First, you need to identify what kinds of data create security risks. Second, you need to identify the security gaps and inherent weaknesses within your platform (largely due to internal bad actors or misconfiguration). Once you've found your gaps, you can figure out how to mitigate those or how to implement a remediation plan that shows progress over time. Both insights are essential for understanding how to make your platform and processes more secure.

3. Plan the platform: The devil is in the details. How your platform is organised — the data sources, user permissions, features, policies, etc. — impacts how secure it ultimately is. Therefore, you must plan out what functions the platform will optimise and use that as a basis for your security strategy based on actual user data needs.

4. Address the obvious: I see a lot of the same mistakes occur over and over, even obvious ones such as making all users administrators. These are the first mistakes that will be exploited but also the easiest to prevent. So while it's become a reality of business to sort of hand the responsibility of data management to all employees, a system of checks and balances needs to exist. Imagine the chaos that would ensue if a trusted employee leaves the organisation and takes his entire client book with him. You're in serious trouble without a reliable backup in place. Simply following best practices and implementing companywide policies eliminates some of the biggest security threats you could face.

5. Reevaluate regularly: Platforms are dynamic by definition, and so is your organisation. As both continue to evolve, you will need to reevaluate the strengths and weaknesses of your security strategy. Because platforms are consistently being updated, you need to apply that same tenacity to objectively reviewing how your platform is (or is not) meeting your needs. Capabilities are always changing and expanding, so invest the time in comprehensive reviews. Evidence-based proof will always defeat the response "We got this" or "I think we're good." Stay vigilant. 

Best-in-class companies are using their platforms as a competitive advantage to optimise every customer interaction. With the right mindset and approach, winning enterprises will map this line of business optimization with governance optimisation to protect their high-value customer data.

Brian Olearczyk, Customer Success, RevCult

Brian Olearczyk focuses on customer success for clients of RevCult. His perspective is informed by working with the most complex organizations in the world on data governance.