Opening context
PensionCo is a public-sector pension organization responsible for managing long-term retirement assets on behalf of members. Its operations depend on secure, reliable digital services that support finance, investments, member services, and governance functions.
In recent years, PensionCo had significantly strengthened its security posture—introducing tighter authentication, new password management, and stricter access controls to meet regulatory and compliance obligations. These changes were necessary, but leadership was conscious of a growing risk: security controls that frustrated staff could quietly undermine productivity, increase workarounds, or introduce new operational risk.
The decision context
The executive stakeholder accountable for these trade-offs was the CFO. As the executive ultimately responsible for compliance failures that could escalate publicly, the CFO also controlled IT investment decisions.
The question was not whether security should be strong—it had to be—but whether the organization truly understood how security measures were being experienced day to day, and whether friction was accumulating in places that mattered most.
Leadership needed clarity before making further changes or investments.
Why existing signals fell short
Traditional IT signals were reassuring on the surface. Core systems were stable, service desk responsiveness was strong, and there were no major incidents.
However, these indicators did not reveal how security controls, collaboration tools, training, and support combined into a lived experience for staff across roles. Anecdotal feedback suggested frustration, but it was inconsistent and difficult to interpret. Without a comparative, organization-wide view, leadership could not tell whether issues were isolated, role-specific, or systemic.
How Voxxify was used
PensionCo used Voxxify to run a focused baseline across the organization, capturing lived IT experience across security, devices, collaboration, support, and training.
Rather than producing a generic satisfaction score, Voxxify surfaced where experience had the greatest influence on overall effectiveness. The data showed a clear pattern:
- Core IT support and connectivity were performing well and widely trusted
- Security controls were broadly accepted in principle, but specific elements—particularly password management and repeated authentication—were creating disproportionate friction
- Training and communication around secure ways of working lagged behind technical controls
- In some cases, process friction (such as change requests) posed more risk than the controls themselves, encouraging informal workarounds
This reframed the discussion from “security versus experience” to “where security design needed refinement.”
What changed as a result
With clear, defensible insight, leadership was able to:
- Focus investment on reducing friction in high-impact security workflows rather than weakening controls
- Improve guidance and training to reduce accidental risk and user error
- Align internal IT and managed services teams around experience outcomes, not just technical compliance
- Give the CFO confidence that security decisions were grounded in how the organization actually operated
Closing insight
For PensionCo, Voxxify did not replace existing governance or controls. It provided something more valuable: clarity.
By understanding how security was truly experienced, leadership could reduce hidden risk, protect productivity, and make informed decisions that balanced compliance obligations with day-to-day effectiveness.
Names are withheld to respect confidentiality. The intent is to illustrate an approach, not to serve as a reference.
