As artificial intelligence, automation, and real-time data collection reshape the digital landscape, companies leading customer experience (CX) and customer relationship management (CRM) face an evolving cybersecurity challenge. Businesses striving to personalize interactions and extract insights from millions of customer touchpoints are also becoming prime targets for cyber threats—ranging from phishing and ransomware to AI-driven attacks and identity theft.
At the center of this battleground are platforms like Qualtrics, Medallia, SurveyMonkey, Typeform, Zoho Survey, SurveySparrow, QuestionPro, GetFeedback, and InMoment, all tasked with collecting, analyzing, and securing vast amounts of sensitive data.
Trust as the foundation of experience management
For Assaf Keren, chief security officer at Qualtrics, trust isn’t optional—it’s foundational. “The base of a good interaction is trust,” he says. “Our goal is to help customers build trust with their own customers. From a cybersecurity perspective, that means creating a platform that is both inherently secure and adaptable.”
With more than 20,000 clients and potentially hundreds of millions of end users, Qualtrics sits on the front lines of data security. But the challenge extends beyond protecting its own systems—the company also helps clients safeguard their users’ data. And the stakes have never been higher.
At Qualtrics X4 in Salt Lake City, which took place from Mar. 18 to 20, Keren outlined how cyberattacks are evolving. What was once the work of a few sophisticated criminal organizations has become an open marketplace. “Cybercrime has become specialized. One person phishes, another sells credentials, a third gains access, and someone else monetizes the data,” he says. “AI is accelerating that evolution—deepfakes, voice cloning, and highly convincing phishing emails are already here.”
Qualtrics’ response combines proactive defense with adaptive AI tools. The company has deployed robust data masking, mandatory multi-factor authentication (MFA), and AI-driven phishing detection systems—even for attacks originating from hijacked customer accounts.
A community effort in cyber defense
Despite fierce competition, Keren emphasizes that cybersecurity isn’t a zero-sum game. “Nobody wants another company to have a breach. We’re all part of a cybersecurity community,” he says, highlighting Qualtrics’ collaboration with global stakeholders to share threat intelligence.
Other industry leaders take a similar approach. SurveyMonkey, now Momentive, points to its ISO/IEC 27001 certification and GDPR compliance as evidence of its commitment to user privacy. “Security and privacy are built into everything we do,” the company states in its trust center. Medallia, another major player, goes even further with end-to-end encryption and advanced anomaly detection. “We don’t just protect data. We empower organizations to act securely on it,” its security team says.
The AI dilemma: friend and foe
One of the most intriguing aspects of today’s cybersecurity landscape is AI’s dual role as both a defensive tool and an offensive threat. “We’re already seeing AI-generated phishing emails and voice cloning,” says Keren. “In a few years, we’ll see autonomous AI attackers. On the defense side, we’ll need autonomous AI agents protecting us.”
Other platforms are also investing in AI-driven security. SurveySparrow promotes its AI-powered spam filters and bot detection, while InMoment integrates behavioral analytics to identify unusual user activity.
Yet Keren warns of a growing risk: fast-moving startups integrating AI without a strong security foundation. “Many companies are rushing AI tools to market without proper security,” he says. “The real threat isn’t the model itself—it’s poor implementation, like open databases or insecure data flows.” He cites a recent incident where prompt data was exposed online due to weak infrastructure.
Chatbots, surveys, and human error
“A poorly configured chatbot with unrestricted data access is a massive risk,” Keren says. “We’re conducting extensive offensive testing to prevent prompt injection and other attacks.”
False or malicious chatbots—often powered by generative AI—are also on the rise, impersonating brands and platforms. “We’re preparing for this future by developing LLM-based agents that monitor and flag suspicious behavior,” he explains.
It’s a delicate balance—stronger security can introduce friction, potentially harming the customer experience. To address this, platforms are giving users more control.
Typeform, for example, allows creators to set data retention policies, encryption preferences, and respondent access levels. QuestionPro offers robust permission systems and audit logs, while GetFeedback (Momentive) integrates Salesforce-level security and encryption.
Cybersecurity as a competitive differentiator
Keren emphasizes that Qualtrics prioritizes secure defaults while allowing clients to scale protections based on their own policies. Internally, employee training remains a key focus for Qualtrics and its industry peers.
“AI will be used by both attackers and defenders,” Keren says. “But employees need to recognize AI-generated threats—voice clones, phishing emails, manipulated content. That awareness is the new frontline.”
Ironically, companies that restrict AI usage may be increasing their risk. “If employees don’t use AI at work, they won’t recognize it when it’s used against them,” Keren warns.
In the highly competitive CX and CRM space, cybersecurity isn’t just a compliance requirement—it’s a key differentiator. Clients want more than smart surveys or sleek chatbots; they want assurance that their data, and their customers’ data, is secure. As attackers grow more sophisticated and AI-driven threats loom, the companies that survive—and thrive—will be those that treat cybersecurity not as a cost, but as a core product feature.
Or, as Keren puts it: “If we lose trust, we lose everything.”
