Rationalizing your controls in the digital sales process.

All too often, I see a digital sales process that is nothing more than the digitizing of a paper process rather than a truly digital experience. 

Accordingly, the controls aspect has not been refreshed from the in-person retail experience other than the bare minimum controls for code injection, buffer overflow and cross site scripting that Information Security made them put in.

The line of business, who is an expert in their product and the in-person sales of it, often has no fraud or cyber expertise and views these disciplines as anti-sales. Still in other situations, the line of business will start trying to buy their way out of incidents by purchasing and bolting on fraud and security controls, sometimes from the same vendor that is used elsewhere in the company via an enterprise license. Yes – paying for a service that you already have for free due to an enterprise license. Further, you often see overlapping or duplicative controls in one part of the process and gaps in others due to this lack of domain knowledge.

What I propose is to align controls with the portion of the sales funnel that matches the expertise of the parties in the enterprise.

Controls that keep bots, known bad devices, OFAC sanctioned nation sessions and TOR users out of the site and out of the top of the funnel are the domain of Information Security. 

To the line of business – these sessions were never going to lead to legitimate sales anyways. Why tie up your process with junk? Worse yet, if you are in a regulated industry, having to explain / pay for a declination process for junk applications.

Now that the session is safe, is the data any good?