Cyber Security

Published 2026-04-08

Bad Customer Service Is a Strategic Risk

Published 2026-04-08 | Originally published 2013, updated for 2026

Industries

Security and compliance are supposed to protect your organization. But when they're implemented without judgment, they punish your customers instead — and that's a strategic risk that no compliance framework will warn you about.

After 30+ years in security, governance, risk management, and compliance, I've watched organizations weaponize their own policies against the people they serve. The damage isn't theoretical. Customers leave. Revenue drops. Competitors who get the balance right take your market share. And the irony is that the policies causing the damage often don't improve security at all.

Three Mentalities That Destroy Customer Relationships

These are mentalities, not people. Almost every front-line employee has been pushed into one of them at some point by structural pressures the employee did not choose. The argument here is about the patterns the structure produces — not about the staff who get caught up in them.

The Wolverine

Every organization needs wolverines — staff who sink their teeth into security and compliance and don't let go. They are the ones who catch the fraud, flag the misconfiguration, and refuse to let a shortcut slide. The problem arises when no one pries the wolverine's jaws apart.

This mentality, given unchecked authority, creates policies that prioritize control above all else. MFA that locks out legitimate users for days. Identity verification procedures that require customers to prove who they are through increasingly absurd hoops. Fraud detection systems that block legitimate transactions while actual fraud slips through on a different vector.

In 2026, the pattern is everywhere: zero-trust architectures that create so much friction that employees route around them, HIPAA-justified refusals to share information with the patient's own family, and KYC procedures so burdensome that customers abandon onboarding entirely. What this mentality cannot see is the customers who leave — only the incidents that did not happen.

The Capricious Enforcer

The capricious enforcer uses compliance policy as an instrument of personal discretion. Not to protect the organization or the customer, but to apply different rules to different people. The policy is the same either way; the enforcer just chooses when to apply it rigidly and when to be flexible, based on mood or rapport.

You have met this pattern. The agent who can resolve your issue in two minutes but makes you wait on hold for forty because you were frustrated when you called. The compliance officer who requires a notarized form for a routine change from one customer but waves it through for another. The IT administrator who grants access instantly to people they like and creates a three-week approval process for everyone else.

Inconsistent enforcement is worse than either strict or lenient enforcement applied uniformly. Inconsistency means the compliance posture is unpredictable, the audit trail is indefensible, and the customer experience depends on which agent picks up the phone.

The Rote Enforcer

The third pattern is what you get when customer service representatives are forbidden from making judgment calls. They recite scripts. They follow decision trees. They escalate to supervisors who follow slightly longer scripts. No one in the chain has the authority or training to make a common-sense decision.

In 2026, this rote-enforcement pattern has evolved into the AI chatbot — a literal script executor with no judgment, no context, and no ability to recognize that the customer's situation does not fit any of its decision paths. Organizations replaced human script-followers with cheaper automated ones and called it innovation. The customer experience got worse, not better.

When the front line cannot exercise judgment, customers learn to game the system — asking for supervisors, threatening to close accounts, posting on social media. The ones who do not bother gaming the system just leave.

The Risk You're Not Measuring

Every major security-control framework measures the risk of unauthorized access, data breach, and regulatory penalty. None of them — NIST CSF, ISO 27001, PCI DSS, the HIPAA Security Rule, FFIEC — has a control category for the risk of losing customers because your controls are hostile. Consumer-protection regulators (the CFPB, the FTC) have begun to circle the question, but no security-control framework yet captures it. The risk is nonetheless real, quantifiable, and often larger than the risks you are mitigating.

  • Competitive risk. Your competitor's onboarding takes 10 minutes. Yours takes three days and a notarized form. You will lose that customer.
  • Revenue risk. Your fraud detection blocks 2% of legitimate transactions. On $50M in annual volume, that's $1M in lost revenue — probably more than your fraud losses.
  • Reputation risk. One viral social media post about your verification nightmare costs more than a dozen quietly resolved security incidents.
  • Retention risk. Customers who call support and hit a script-bound representative or a capricious enforcer don't fill out exit surveys. They just leave.

What to Do About It

  1. Train everyone in risk-based decision making. Not just the policy, but the purpose behind it. When a front-line employee understands why the control exists, they can exercise judgment about how to apply it.
  2. Measure customer friction as a risk metric. Track abandoned onboarding, blocked transactions, escalation rates, and time-to-resolution. These are security metrics — they tell you where your controls are failing.
  3. Give front-line staff authority to make exceptions. Document them, review them, but allow them. A human who can say "I can see you're the account holder, let me help you" is worth more than a policy that's right 99% of the time and catastrophically wrong 1%.
  4. Audit your AI touchpoints. If your chatbot can't resolve an issue, how fast can the customer reach a human? If the answer is "never" or "45 minutes," you have a strategic risk.
  5. Apply STORM to customer-facing controls. Quantitative risk measurement can evaluate the risk of both the control and the friction it creates. If the friction risk exceeds the security risk, the control needs redesigning.

Security, governance, risk management, and compliance exist to protect the business — which includes its customers. When your controls drive customers away, they're not protecting anything. They're a liability.

Schedule a consultation → | +1 863 SECURE1 (+1 863 732-8731)