Customer Success in Cybersecurity: Why Security Starts With People, Not Software

It was a pleasure to spend 30 minutes with Rick Adams from Practical CSM discussing the role of the Customer Success Manager in the security industry. We covered how customer success applies in cybersecurity, where trust, risk reduction, adoption, and long-term customer value are especially important. You can listen to the full podcast episode on the Practical CSM website.

Now, Customer Success is already a people-focused job. We help customers adopt products, solve problems, reach goals, and get real value from the solutions they buy. But in cybersecurity, the role becomes even more interesting; and honestly, even more important.

Because security is not just about software. It is not just about dashboards, policies, alerts, configurations, or technical controls. Security starts with people. 👥

You can buy the best platform in the world. You can configure every setting perfectly. You can define the cleanest process imaginable. But if people do not understand it, trust it, or actually use it in their daily work, the outcome will fail.

That was the heart of my conversation with Rick: cybersecurity is deeply human.

Customer Success in the Security Industry
Transcript
  1. Hi, my name is Rick Adams from
    PracticalCSM.com, and the title for
    today’s
  2. podcast is Customer Success in the
    Security Industry. Our guest today is
    Fabio Lichinchi.
  3. Fabio is a customer success manager for
    Zscaler, or if you’re in America,
  4. Zscaler, a software provider in the
    security space that provides a 100
  5. percent cloud-built secure platform for
    moving applications and infrastructure to the
  6. cloud and untethering employees from their
    desks. That enables its customers to
  7. realize advantages in productivity,
    agility, and cost containment.
  8. Fabio originally comes from a sales
    background. Before working for Zscaler,
  9. Fabio held both customer success manager
    and success program manager roles at Cisco.
  10. Fabio is here today representing his own
    opinions rather than those of Zscaler.
  11. Fabio, hello to you. It’s great to have
    you with us.
    - Rick, thank you for having me here,
  12. and for the opportunity of talking to you
    on your podcast.
    - Absolute
  13. pleasure. Great to have you with us. Thank
    you very much. First things first, I’ve
  14. given a very brief description of you,
    but it would be great if you don’t mind
  15. just spending maybe a minute or two
    introducing yourself and explaining both your
  16. background and perhaps just explaining
    your current role at Zscaler.
  17. Yes, yes. You know, my background, like many
    of us, comes from a
  18. technical aspect. I was initially a
    developer, and as a developer,
  19. I realized that many projects were
    failing because they were around human
  20. interactions, let’s say. Let’s put it
    this way. So I eventually became interested in
  21. knowing how IT fits together with
    human behavior and
  22. business objectives. Eventually, I moved into
    presales, then more sales roles.
  23. And you know, I know it's going to look cheesy,
    but really, eventually, it's because I like
  24. to help people. So when a project really
    has a big impact, and you can see
  25. that the customers are moving forward,
    are doing business in a better way, and
  26. their customers are satisfied, I’m also
    happy. I feel like I realized something and I did something
  27. with my life, and it’s something I like.
    So I think really helping people is a big part
  28. in the push of all persons at this time
    in this field, and especially
  29. into the CSM roles that are now
  30. one of the latest trends in the industry.
    - Well, I totally agree with you. I
  31. agree with you that it’s cheesy,
  32. but I also agree that there’s a
    reason why it’s cheesy: because it’s true. I can
  33. absolutely agree with you, people in
    customer success by and large, in fact almost
  34. entirely, are people who like helping
    people. I couldn’t agree more.
  35. So, our discussion today is customer
    success in the security industry, and I
  36. think it’s an interesting topic
    because perhaps of all the industries I can
  37. think of, the security industry is one
    that really can’t afford to give wrong advice
  38. or slip up in best practice. It’s
    got to make sure that whatever it gives as
  39. advice and help and assistance is the
    correct advice and help and assistance to its
  40. customers, because those customers rely
    on that advice and assistance to help
  41. make sure that their security doesn’t fail.
    However, I was really interested in
  42. something that you were saying to me
    before we kicked off the podcast, which I also
  43. completely agree with, which is that
    security doesn’t begin with the software, but it
  44. begins with the people. Yeah, you know
    where I’m going with this as a start point for
  45. our conversation around the security
    industry. Perhaps could you expand a little bit
  46. about what you meant by that concept?
    I think it’s a really important one.
  47. Everything starts with the
  48. people. And actually, if you look at the power
    in terms of monitoring that
  49. modern tools give you,
  50. you will see companies, if you look at them
    with the eyes of a CSM, you will see
  51. companies are doing different things.
    Some of them will just
  52. be aware of certain situations and
    do nothing. Some others will
  53. point the finger at employees, "Ah,
    you’re doing this, you’re doing that," but without
  54. really a
  55. structure behind it. So what I want
    to say is actually that people are very
  56. important in the security process,
    and they need clear processes and rules.
  57. So they need to feel safe to err,
    even if they make a mistake. Imagine how
  58. many times we wrote an email to
    the wrong email address, and
  59. imagine if this is a business conversation.
    So,
  60. an employee that
  61. is afraid of losing his or her job
    will just hide the thing. That is not
  62. the right thing to do. The right thing
    is to tell the company and have a process,
  63. because this is an honest mistake.
    This mistake is not made with the intention
  64. of producing
  65. damage to the company or to other
    parties. It's an honest mistake. There must be a
  66. process that clearly describes what
    is going to happen, what the company is going to do,
  67. and employees need to be empowered
    and feel safe. And this security process is very
  68. slow because it is a cultural one, and
    that’s why it is not going to be solved in one week
  69. or a month. It might take a long time.
    My job as a CSM is to make sure that really
  70. companies kick this off.
    - That’s interesting.
    So effectively, what they get from
  71. your organization really is an enabler
    of security, but it’s not the
  72. answer. The answer is the way in which
    they implement it, and how they
  73. change the culture within their
    organization in using the services that your
  74. organization provides.
    - Exactly, using them
    in the right way, because these tools
  75. give you a lot of security in terms
    of protecting you from the many threats
  76. that are out there, but also give you
    visibility. And with visibility,
  77. you can do a lot of things. But it
    is very important to handle this
  78. knowledge you have about your users'
    behavior in the right way, not in the wrong
  79. way.
  80. And looking back over my early career
    when I was an employee, I can
  81. remember sort of having a fear of a blame
    culture, and culture is really
  82. critical to this, obviously. If you're
    feeling that there is, to an extent at least, a
  83. fear of a blame culture, which immediately
    meant that I was less
  84. productive because I didn’t take risks,
    because I didn’t want to be blamed, that would be
  85. an appropriate risk. You want your
    employees to take appropriate risks,
  86. because with risks come rewards. So
    you’re stopping that, potentially, but
  87. then, of course, also as you said, rather
    than if there was a security breach,
  88. rather than, as it were, owning up,
  89. to prevent it, I end up actually working
    for the hackers, right? I end up
  90. being an employee who, in order to cover
    for myself, I’m covering for the
  91. problem. And that is most definitely
    something that isn’t going to work
  92. well.
  93. Yeah, and this is not going to work until
    everybody acknowledges the problem, because employees are
  94. ignoring the problem, but also companies are
    pretending this is not happening.
  95. As it were, if you put your fingers in
    your ears and hum and close your eyes,
  96. everything’s okay. Yes.
  97. Okay, good. So it doesn’t sound like
    you have much of your work cut out
  98. for you as a customer success manager
    to change that around.
  99. Okay, well, look, we’ve said security is
    all about people, and I totally get where
  100. you’re coming from on that. So out of
    curiosity as much as anything else,
  101. what types of things do end users
    typically do that can cause security issues?
  102. And perhaps, as we’ve said, equally
    important is why do they do those things? Even
  103. worse, they know they shouldn’t be doing them.
  104. Yeah, I think,
  105. well,
  106. first of all, everything starts really
    with someone leading security internally, so
  107. a strong sponsor that can
  108. move things forward, and this is
    company-wide. Another important
  109. thing is that
  110. people need to be educated. This is
    actually
  111. good for themselves and for the company
    as well. If you think about it, not many
  112. companies are doing that, but if you
    deliver training where you explain what
  113. are the risks, how to use the tools,
  114. what is going to happen if you don’t do
    it the right way, that particular
  115. information is going to be good in the
    people's lives, even outside work and at work.
  116. So it's a good investment, and it's going
    to pass the message as something good for them
  117. and not just for the company, but this
    is a win-win, you know.
  118. And also, they should really start
    to think of data with more empathy.
  119. Because many times we treat data, we work
    with data, and they see it as
  120. handled in a specific way only because
    it is not your data.
  121. Imagine how you would feel, or imagine
    how I would feel, if all your private IT
  122. information would be available now over
    the internet for everybody to see.
  123. We don’t have that kind of empathy
  124. when we handle someone else's data. So that’s
    where this goes back to the fact that
  125. I said it's a cultural problem. We need to
    really build processes, teach, educate
  126. how to manage data, and keep on doing
    this. I remember also,
  127. and those tools are important for a CSM
    because
  128. this is more the soft skills side, but
    let’s look at the tool
  129. side. I remember I was making fun of it
    because we bought an apartment, and
  130. actually had the door replaced, because the
    door that we previously had
  131. was symbolic. I mean, you could open it
    just with a kick, I guess, and I was
  132. making fun of it and telling my wife,
    "You know, this is the most valuable thing we got
  133. in the apartment. Three thousand pounds for
    this door we recently bought! If someone wants to
  134. steal, it's better off just taking the door
    and walking away,
  135. because we don’t have anything precious
    inside the apartment."
  136. But yes, one day it happened that I
    was talking to the neighbors
  137. downstairs, and my wife was curious to
    hear what I was saying, so she
  138. joined me downstairs. Now the thing is that
  139. we were about to leave, and when we came
    back after one hour and a half,
  140. we realized we left the door open. So you
  141. have a massive latest technology for
    three thousand pounds, left open.
  142. So really, if you don’t know how to use
    the tools and use them in a proper
  143. way, you can have the most expensive one,
    and it's not going to help you.
  144. Or indeed, even if you do know how to
    use them but you didn’t, which is obviously
  145. what happened in this case, it wasn’t
    like you didn’t know how to turn a key, it was just
  146. you just didn’t do it. Yeah. So again, it
    comes down to, like you said at the beginning,
  147. it comes down to the people as much as,
    definitely, you've got to have the tools or
  148. you've got to have the door that is not easy
    to break into your apartment, but yeah,
  149. then you've got to use it. And not just
    use it once, right? You've got to use
  150. it all the time. That’s another aspect of
    the culture and psychology, isn't it?
  151. That maybe the novelty of doing things
    the right way wears off quite
  152. quickly for people. If you make it easier
    to do the wrong thing and
  153. harder to do the right thing, then
    you’re less likely... I mean, is that the sort of
  154. thing that you look at when... I imagine the
    psychology of security is quite
  155. important for you to sort of work with
    your customers, yeah, with companies, to
  156. deal with that sort of aspect of making it
    as easy and as comfortable as
  157. possible for their end users to do the
    right thing. So, I mean, how do you do that as a
  158. CSM? How do you help companies to understand
    this sort of psychology of security and
  159. deal with it effectively?
    - Imagine this,
    when we talked about the door,
  160. as a CSM, I go to a customer. The door
    is the product that they purchased, and
  161. there are two aspects. One is to
  162. give them metrics to understand if the
    deployment, so how the door was
  163. installed, is the proper one, in the
    way that best fits their needs. So you have
  164. technical aspects to discuss with the
    technical people as a CSM, how the
  165. door has been installed. Then you need
    to discuss with your end users, and
  166. the users will need to know how to operate
    the door. And this is also the CSM, you will
  167. explain or educate or help them in
    doing the best usage of the particular door
  168. they purchased. And also to your C-level
    stakeholders as well, you will explain
  169. why the door is important, what it is
    there for, what it defends, and why they should
  170. have processes in place to communicate the
    importance of operating the door properly. So,
  171. you see, as a CSM, I talk to different
    stakeholders, and mainly they are the
  172. employees, the technical people installing
    the door, and my executive stakeholders
  173. that put it out there, someone who
    purchased it for specific business
  174. objectives and that want to help them to
    realize that. Psychologically, it is
  175. very important when I show them, because
    another thing a CSM needs is
  176. data. You need to deliver some presentations
    during a QBR or business review
  177. or a portal with visibility that shows
    them how they are doing, and possibly you
  178. want to discuss also how others are
    doing without giving names, just with aggregate
  179. data, to understand more or less similar
    companies, what other people are
  180. doing in the market, and compare
    themselves. And compare themselves to that
  181. externally, and a bit internally too. Why
    internally? Because not all the
  182. companies are at the same maturity level
    when we talk about security, right? Some are far
  183. behind. But psychologically they look
    at the report and they think, "Well, this
  184. investment is not blocking enough." So
    you say, "Okay, yes..."
  185. So actually, to move a company's behavior,
    you've got to almost treat a company
  186. like a person in a way and say, "Well,
    here's what good looks like, right? And
  187. here's where you are."
  188. Yeah, and that psychologically moves
  189. them. Because if you don't do that,
  190. most of the time companies really focus
    with some connectivity, not security. So
  191. they prefer to have the service working,
    because that service is making the money. And
  192. then making sure that it is also secure. So
    user experience is very important, but again,
  193. goes back down to managing risk. So there
    are some risks you can take in order to
  194. have good connectivity, and some you can't
    really. And it's important
  195. we do this exercise of deciding what we
    can afford and what we want to, or
  196. where we don't want to be, like hitting
    the news in the wrong way.
  197. Fair enough.
  198. Well, you’ve worked with a fair number
    of customers around implementing good security
  199. systems and processes. So in your
    experience, why do companies sometimes fail to
  200. implement good security? Or perhaps you’ve
    kind of answered that, we've talked about
  201. maybe a desire or an ambition to have
    maximum productivity
  202. without realizing some of the implications
    behind it and the risk side of it.
  203. So is it a case of perspective? Is it
    a case of helping the
  204. stakeholders, the decision makers, to
    understand the potential consequences of this sort
  205. of risk and reward type
  206. behavior, that you need to help them
    almost to balance?
  207. Yes, yes, because when we talk about
    security it is really everywhere. And
  208. if you...
  209. The first thing that comes to my mind
    is always the user's behavior. As a user
  210. of many of the services out there now, I
    can give you two examples. One once hit
  211. me because it actually looks so good to
    have.
  212. For this big retailer in the UK, I have
    a loyalty card.
  213. The loyalty card is now delivered through
    my mobile. I created an account,
  214. logged in, I went to the store, I bought
    stuff, I had some vouchers just for the amount of
  215. five pounds something, and as I tried to
    open the application, my login expired.
  216. I didn’t have the password with me, I
    couldn’t use the voucher, I couldn’t scan the card. It was a
  217. big disappointment for five pounds, and
    now I’m considering another shop. So this is a
  218. big damage in terms of user experience.
    You say, security-wise, they
  219. didn’t lose four pounds and a half, but
    then
  220. my experience as a user was very bad. If
    you look at Starbucks, for example here,
  221. because actually they are doing great in
    this aspect. They would let the
  222. points go anyway, and even if someone is
    stealing those points, it doesn’t
  223. really matter. They can replace them,
    because the money they make thanks to
  224. returning customers is much more than
    the stolen points. This is a
  225. risk they can afford.
    - Yeah, they value
    the customer experience higher
  226. than the potential loss of five dollars,
    euros or pounds. Yeah.
    - But in a smart way,
  227. because eventually that data is not customer
    data, it is data. And here is
  228. another point that comes later, that we
    will talk about possibly later,
  229. understanding your data.
  230. Understanding your data, so there’s risks
    they can afford to lose, there’s
  231. really no damage, and risks that you don’t
    want to lose.
    - Yes, absolutely, like your customers'
  232. data, for example.
  233. Yeah, that can be quite damaging, I've
    heard!
    - Yes.
  234. Okay, what advice do you give,
  235. when you’re working with your customers,
    how do you go about helping them to
  236. understand where they need to... let's
    say, where they need to start with this?
    - I would
  237. suggest that the most important thing is
    really starting with your data. If you
  238. think of it, imagine this: okay, if you
    are a manufacturing company, you build your
  239. business on other assets, like factories
    or tools or
  240. devices. But if you are like many
    companies that have services, imagine if
  241. your database disappears and you don't
    have it tomorrow. You’re out of
  242. business because everything you got is
    your data. And with your data, this is very
  243. important that you as the owner know
    where it sits, because today with cloud and
  244. Shadow IT, people are copying companies'
    data on non-approved
  245. cloud systems, they are bringing it home,
    there are
  246. parts on-premise, parts
  247. in approved and non-approved clouds. So
    it is very important that as an enterprise,
  248. or as a CSM, the exercise I usually do
    is to talk with them to make sure they
  249. stay clear on where data is. And then
    once they know
  250. where their data is, they can catalog it.
    And the reason they
  251. want to create a catalog is to associate
    a certain level of risk
  252. to each piece of
  253. data they have. And eventually what they
    can do once they have this is to
  254. protect what is most important and maybe
    let the things that
  255. after all, if they are leaked outside,
    it is not a big damage, move
  256. more freely into the enterprise. So it is
    really: first of all, know yourself,
  257. know your data, and then start from there.
  258. Okay, that sounds like a very logical
    approach actually, where
  259. you’re leading them through a process of
    understanding what the big
  260. risks or what the important risks are
    and making sure that they’re prioritizing those.
  261. That’s correct.
  262. We could go on forever talking about this
    because it’s a fascinating subject and we’ve
  263. been actually going now for thirty minutes
    already, so I meant to wrap it up, but I
  264. did want to actually ask you another
    question if you’ve got the time.
    - Yes,
  265. thank you. We just...
  266. we’ve talked about what you do, but
    perhaps a bit less about how you do it. And
  267. time and again people ask me about it,
    what actually do customer success
  268. managers do? Not why, but what? Yeah, what
    do they do? So would you
  269. mind giving perhaps just a very brief
    overview of how you go about doing the
  270. things you do? In other words, when you
    meet a customer, what actually happens? What
  271. does it look like? What is a day in the
    life of Fabio the customer
  272. success manager in the security industry?
    What do you actually do?
    - Yes, a good
  273. question.
  274. It's very exciting, you know, because
    what you do is you meet the
  275. customer for the first time.
  276. And you usually want to have some data now.
  277. Most of the companies that are doing the
    CSM role right, that understand
  278. CSM,
  279. normally give the customer success manager
    a set of metrics. These metrics are
  280. normally tailored to understand the
    performance of the customer environment.
  281. And then that can be used. So I meet the
    customer, I show them the
  282. metrics, and we discuss their feelings,
    how they feel about the metrics, etc.
  283. If they knew they were there, and what
    their next steps are, where they would like to be
  284. in the future. From there we build a
    path to success. And
  285. what I do next is to hold them
    accountable for reaching their
  286. goals. Those are theirs, not mine, but
    they agreed on
  287. changing things for the better. As a
    CSM, I just show the picture,
  288. I help them in figuring out where they
    want to go, and then I monitor the
  289. situation to make sure they actually
    do it. So the best meetings are the ones where
  290. you have a good mix of audience, like
    technical executives, stakeholders, someone from
  291. networking, someone from security,
  292. someone from the employee side, because
    they also have a word here.
  293. And you just drop a subject that you
    think is important, that you
  294. identified as important for them, and
    then they have the discussion among each
  295. other, and they sort it out by themselves.
    The only thing I do is to record
  296. the minutes, and then in the next weeks
    remind them of the next steps, how
  297. to do those with the tools, with some
    help obviously if tools are involved. But first
  298. is a discussion among people, and then
    mapping these objectives to the
  299. tools, and making sure they follow the
    steps on the tool. And then they get to a new
  300. baseline target, then target turns into
    the baseline, new target, and goes on forever.
  301. Because business is changing, things
    don’t stay the same.
    - Yeah, for sure.
  302. I think what you’ve just described there
    is highly applicable in the majority
  303. of... or at least to some extent all
    customer success roles, whether
  304. that is security or whatever the
    CSM organization happens
  305. to be providing as a service or product.
    Yeah, I think it’s
  306. about understanding the customer, building
    the relationship with them, helping them to
  307. understand what the issues or the
    challenges are, helping them to work
  308. through those to develop some sort of
    roadmap,
  309. and then helping them with that roadmap
    to implement that and take measurements, and
  310. change it, because as you say, the world
    changes all the time. So by the time you get
  311. there it’s going to be wrong, so you're
    going to need to keep adapting it. So to be, you know,
  312. to be versatile enough to do that, that
    makes total sense.
  313. To make what you just described, yeah, you
    need measurements and success criteria, or
  314. otherwise you don’t know if you’re
    doing well or not.
  315. Right, yeah. And more importantly, I think
    this is a big
  316. contentious issue, actually, because a lot
    of the measurements that the
  317. customer success profession talks about
    incessantly, to my mind too
  318. much, is measurements of the customer
    success organization like NPS and
  319. utilization and churn and retention. The
    customer doesn’t care about those
  320. things, no.
  321. That’s my problem, your problem, not theirs.
    - Right.
  322. Yeah, so the clue is in the name, it's a
    customer success manager. Yes, we have to wrap
  323. this up unfortunately. It’s been a fascinating
  324. conversation, for which very many thanks,
    Fabio. I think that much of what we’ve covered
  325. is useful and relevant, not just within the
    security industry, but to CS roles in
  326. pretty much all industries. And I think it’s
    always useful to understand how
  327. others perceive the role of customer
    success management, how they implement it
  328. within their companies. So yeah, that
    Zscaler approach, I
  329. think is great for everyone to understand.
    I really appreciate your time.
  330. Thank you so much for being with us today.
    - Thank you for having me, and thank you for
  331. all the contributions you're delivering to
    the CSM role in general. It is still so young,
  332. it really needs work.
    - Well, it does, doesn't
    it? And I think the best way we learn
  333. is through sharing and through understanding
    each other’s concepts
  334. and ideas. That’s how we learn. So thank
    you for that. I absolutely
  335. agree, that’s what we need to do. Before I
    end the conversation, I just
  336. want to remind everybody I’ve been
    talking to Fabio Lichinchi, customer
  337. success manager at Zscaler, about customer
    success in the security industry.
  338. If you’ve enjoyed this podcast, please
    remember to share it with your friends
  339. and colleagues. And also please do check
    back at PracticalCSM.com regularly
  340. for more free customer success related
    podcasts, videos, and articles, or better still,
  341. go to our website at PracticalCSM.com and
    sign up for the monthly newsletter,
  342. which will keep you informed about all the
    new free content we produce every month.
  343. And you’ll also receive a PDF of the first
    chapter of my book, Practical Customer
  344. Success Management, as well as a
    twenty-two page overview of the Practical CSM
  345. Framework.
  346. My name is Rick Adams from
    PracticalCSM.com. Thank you so much to all
  347. of you for listening to this podcast, and
    I look forward to talking to you again in
  348. future episodes.
3

Security Is a People Problem First 🧠

When people think about cybersecurity, they often imagine highly technical things: firewalls, endpoint protection, identity systems, threat detection, access controls, phishing simulations, compliance frameworks, and so on. All of that matters, of course. But the reality is that most security outcomes depend on human behaviour.

Three-panel comic about cybersecurity and user behaviour. In the first panel, a security professional points to a board with tools like Firewall, MFA, and Alerts, while a stressed employee sits in front of warning pop-ups and says, “People still struggle.” In the second panel, workers under pressure avoid a locked door labeled “Secure Process” by climbing through a window marked “Shortcut,” with one saying, “I just need to get my job done.” In the third panel, a Customer Success Manager stands beside a smooth path leading to a shield with a checkmark and says, “Make the secure path the easy path,” while a customer team looks relieved next to a sign that says, “Safer + productive.”
Security outcomes depend on people. When the secure path is simple, supported, and built for real work, customers are safer and more productive.

People click links. People reuse passwords. People take shortcuts. People ignore warnings. People work around processes that feel too slow or complicated. People sometimes hide mistakes because they are afraid of getting blamed. That is not because people are bad. It is because people are people. 🙂

They are busy. They are under pressure. They want to get their job done. If security feels like a wall in front of them, they will look for a door, a window, or sometimes a ladder. This is why cybersecurity cannot be treated as a purely technical subject. It has to be treated as a behavioural, cultural, and operational challenge too.

And this is exactly where Customer Success has a huge role to play.


The CSM Is Not Just Helping Customers “Use the Product” 🚀

In many SaaS companies, Customer Success is often measured by product adoption, usage, renewals, expansion, and customer satisfaction. Those things matter. But in cybersecurity, they are not enough on their own.

A customer could be logging in regularly. They could be using the platform. They could even have good-looking adoption numbers. But the real question is much bigger: Is the customer actually safer?

That is the outcome that matters. Are they reducing risk? Are they improving behaviour? Are they becoming more confident? Are they protecting the business without slowing everyone down? Are they making secure work easier, clearer, and more repeatable? That is the difference between “using a security product” and building a stronger security posture.

For me, that is where Customer Success becomes strategic. The CSM is not just there to explain features. The CSM is there to help the customer connect the product to their real-world business goals.


Security vs Productivity: The Eternal Battle ⚔️

One of the biggest themes we discussed was the tension between security and usability: every company wants to be secure. Every company also wants people to be productive. The problem comes when security processes are so painful that users start avoiding them.

If the secure path is difficult, slow, confusing, or annoying, people will naturally search for shortcuts. And once shortcuts become normal, risk increases. This is why one of the most important jobs for a Customer Success Manager in cybersecurity is to help customers make the secure path the easy path.

Security should not feel like punishment. It should not feel like bureaucracy for the sake of bureaucracy. It should support the way people work, not constantly interrupt it. Good security needs to be practical. That means asking questions like:

What is the customer trying to protect? Where are users experiencing friction? Which behaviours are creating risk? Which controls are realistic? What can be simplified? What needs better communication? Where does the process break down?

The goal is not to remove every bit of friction. Some friction is necessary. But unnecessary friction is dangerous because it teaches people to avoid the process entirely. And when people avoid the process, security becomes theatre.


Fear and Blame Make Security Worse 😬

Another important point from the conversation was culture. Security teams and vendors often talk about risk, controls, and compliance. But end users experience security in a very different way. They may experience it as delay. They may experience it as restriction. They may experience it as “another thing I have to deal with.” And sometimes, they experience it as fear. That fear matters.

Three-panel comic about security culture and Customer Success. In the first panel, an anxious employee stares at a laptop warning about a suspicious link and thinks, “I hope nobody finds out,” while a sign in the background says “Fear” and “Blame.” In the second panel, a Customer Success Manager stands in the middle of different stakeholder groups labeled Risk, Controls, Process, and Get work done, saying, “Let’s connect the dots.” In the third panel, the CSM presents a roadmap with milestones for 3 months, 6 months, and 12 months, saying, “Clear steps build trust,” while a customer team looks on confidently beside trust symbols like a shield and handshake.
Security gets better when people feel safe to speak up, teams understand each other, and progress is turned into clear, shared next steps.

If people are afraid of punishment, they may hide mistakes. If someone clicks a suspicious link and feels embarrassed or worried about blame, they might not report it quickly. That delay can make the situation worse. A healthy security culture should encourage transparency, not silence. Mistakes will happen. The question is whether the organisation learns from them or buries them.

Customer Success can help here too. A good CSM can guide customers toward better conversations internally. Not just “how do we stop users from doing bad things?” but “how do we create an environment where people understand the risk and feel safe reporting issues?” That shift is powerful. Security improves when people trust the process.


The CSM as Translator, Guide, and Facilitator 🧭

One thing I really enjoyed discussing with Rick is that Customer Success in cybersecurity requires a lot of translation. Not language translation but business translation. Executives care about risk, reputation, resilience, cost, compliance, and business continuity. Technical teams care about implementation, integrations, alerts, configuration, visibility, and control. Managers care about productivity, team behaviour, process consistency, and reducing operational headaches. End users care about getting their work done without unnecessary friction. All of these groups are important. But they do not all speak the same language. A strong CSM helps connect the dots.

The message has to change depending on the audience. You cannot explain cybersecurity value to an executive in the same way you explain it to an admin or an end user. That is not “dumbing it down.” It is making the value relevant. Customer Success sits in a unique position because we understand the product, but we also understand the customer’s goals, pressure, constraints, and internal dynamics. We are often the bridge between what the technology can do and what the customer actually needs to achieve.


Customer Success Must Help Customers Think Clearly About Risk 🎯

Every organisation has risk. The question is how much risk they are willing to accept, where that risk lives, and what they are doing about it. This is another area where Customer Success becomes very valuable. A CSM should help customers think through questions like:

What are the most important assets or processes to protect? What could go wrong? Which behaviours increase exposure? Which teams need more support? What is realistic for this organisation right now? What does good look like in three months, six months, or one year? That last question is especially important.

Customer Success is not just about the current state. It is about helping the customer move from where they are today to where they want to be. In cybersecurity, that journey can include onboarding, adoption, configuration, training, stakeholder alignment, process improvement, behaviour change, reporting, and long-term maturity. The CSM helps turn all of that into a roadmap. Not a vague roadmap. A practical one. Clear priorities. Clear next steps. Clear ownership. Clear outcomes.

That is where trust is built.


Vendor Metrics Are Useful, But Customer Outcomes Matter More 📊

Let’s be honest: vendors care about metrics. Adoption. Usage. NPS. Renewals. Retention. Expansion. These are important for the business, and they can tell us useful things. But customers do not wake up in the morning thinking, “I hope my vendor improves their retention rate.” 😄

Three-panel comic about metrics versus outcomes in cybersecurity Customer Success. In the first panel, a vendor representative points proudly at a dashboard showing Adoption, Usage, NPS, and Renewals, saying, “Great metrics,” while a customer asks, “Are we actually safer?” In the second panel, a Customer Success Manager stands with a customer team and says, “Let’s focus on outcomes,” with labels nearby such as Risk, Behaviour, and Confidence, plus a sign that says, “Usage ≠ Impact.” In the third panel, the team looks at a board titled “Outcomes That Matter” with simple outcome labels: Safer, More confident, and Less friction, while someone says, “That’s real success.”
Good metrics matter, but real success is when customers can clearly see safer outcomes, stronger confidence, and less friction in the way they work.

Customers care about their outcomes. They want to know: Are we safer? Are we more confident? Are we reducing unnecessary risk? Are our teams working better? Are we getting the value we expected? Is this solution helping us operate securely without slowing us down? That is the lens Customer Success needs to use.

Usage is not the same as value. Adoption is not the same as impact. A renewal is not the same as success. Real success is when the customer can clearly see that the solution is helping them achieve something meaningful. In cybersecurity, that meaning is often tied to trust, protection, resilience, and confidence.


Why Cybersecurity Makes Customer Success More Serious 🔥

The fundamentals of Customer Success are the same in many industries. Understand the customer. Build trust. Define success in the customer’s terms. Create a plan. Drive adoption. Review progress. Show value. But cybersecurity adds extra weight because the consequences are bigger. Poor adoption is not just a missed opportunity. It can create real exposure.

If users avoid a process, sensitive data could be at risk. If alerts are ignored, threats could go unnoticed. If behaviour does not change, the same mistakes keep repeating. If security is seen as a blocker, teams may find unsafe workarounds. That is why Customer Success in cybersecurity cannot be passive. It has to be proactive, curious, empathetic, and outcome-driven.

The CSM needs to understand the product, but also the customer’s people, processes, culture, and tolerance for risk. That is what makes the work challenging, and also very rewarding.


Final Thought: Security Is Human-Centred ❤️🔐

Customer Success in cybersecurity is not just about making sure customers use the product. It is about helping them change behaviour, manage risk, and build confidence in the way they operate. The best security solution in the world can fail if people do not understand it or use it properly. Technology can enable security, but people make security real. That is why the CSM has such an important role.

We help turn security from a technical purchase into a practical, human-centred business outcome. And when that happens, security stops being just another tool in the stack. It becomes part of how the organisation works, grows, and protects itself. ✨


Key Takeaways 🌟

Three-panel comic about human-centred cybersecurity. In the first panel, a presenter stands beside a board showing tools like Firewall, MFA, and Alerts, alongside people-focused ideas such as behaviour, trust, process, and culture, while saying, “Security starts with people.” In the second panel, a worried employee says, “I clicked it…” and a supportive CSM replies, “Thanks for reporting it,” beside a simple report-and-help workflow and a sign reading “Easy + safe.” In the third panel, a presenter tells a mixed audience, “Outcomes first,” while a board titled “What matters” highlights Safer, More confident, and Less friction, with vendor metrics like Usage and NPS shown as secondary.
The best security outcomes happen when people feel supported, secure habits are easy to follow, and Customer Success keeps the focus on what truly matters: safer, more confident customers with less friction.
  • Security starts with people. Tools matter, but behaviour, trust, process, and culture decide whether those tools actually work.
  • Customer Success must reduce friction. If secure processes are painful, users will avoid them. The goal is to make the secure path the easy path.
  • Fear and blame damage security. People need to feel safe reporting mistakes. A strong security culture encourages transparency and learning.
  • CSMs translate security into business value. Executives, technical teams, managers, and end users all need different messages.
  • Customer outcomes matter more than vendor metrics. Usage and retention are useful, but the real question is whether the customer is safer, more confident, and better able to work securely.

Leave a Reply

Your email address will not be published. Required fields are marked *