Throughout my career I’ve been drilled to “have a customer-first mindset”. I have written user stories, done user testing, measured customer impact, and had managers challenging me on what the “customer value” is of what I am working on. This has had a very big impact on me and how I approach all technical work; I have often asked questions such as “How will this impact our customer?” and “How can I put this in the hands of the customer as quickly as possible?”.

However, not all work impacts the customer. In fact, if you work for a company your long-term goal is to satisfy the business owners, usually through profit. This means that there is a lot more work than satisfying a customer. There is a reason why we talk about stakeholders. That’s because they can take many forms: A Head of Security, a CEO, an employee, a CTO, a supplier, a CFO, a customer, an architect, an auditor, etc. The ultimate stakeholder is the board. Identifying a stakeholder for work is really important. It means that you have someone who can explain why something needs to be done, and let you know that the work is completed with satisfaction.

Sometimes I have had work delegated to me that is presented or looks like “customer-impacting”, but when poking around to understand the objective of the initiative, I struggle to see the immediate customer benefit. It’s made me question why we are doing the work - making it feel like it’s a waste of our time. The problem is I have been equating “stakeholder” with “customer” when the real stakeholder has not been clearly communicated.

I suspect this has to do with customer-first organizations implicitly down-prioritizing other stakeholders than customers. As such, it’s a much easier sell internally to say “We need to do this to make the customer happy” than “We need to do this to make investors/ISO auditor/Chief Finance Officer/… happy”. It’s as if no-one dares to say “The work you are doing here is to satisfy a checkmark in our investors’ checklists - it will not benefit the customers in any way”.

Within security circles, there is a term called “security theater”. According to Wikipedia, it is the

[…] the practise of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.

I have definitely been responsible for calling certain security tasks, or other tasks coming my way, as “theater tasks”. If this happens in the future, I will try to dig more into who the actual stakeholder is. Hopefully then, I will more clearly be able to see the value those tasks add, and to whom.