The premise of always-on CX has fundamentally shifted from an infrastructure problem to a security problem. Where outages once meant data center failures, the longest and most damaging disruptions now stem from breaches, credential stuffing, fraud spikes, and the containment actions they trigger. Zendesk's data shows 56 percent of CX leaders experienced a breach targeting customer data in the past year, whilst 70 percent of consumers will abandon companies they perceive as having inadequate security. The M&S breach in 2025 crystallized this reality: a security incident cascaded across channels simultaneously—suspending online orders, destabilizing the mobile app, disrupting contactless payments and click-and-collect—and cost an estimated £300 million over three months. The failure wasn't technical unavailability; it was the loss of trust in customer identity and account integrity, which forced the company to take systems offline entirely. For CX teams already managing omnichannel complexity, this introduces a new dimension of resilience planning that goes beyond uptime metrics.
Resilient CX organizations are reframing "always on" to mean designing experiences that degrade safely under attack rather than collapse entirely. This requires treating identity confidence as a dynamic score informed by device signals, behavioral patterns, authentication strength, and breach exposure indicators—and letting that score automatically determine what customers can do at any moment. When confidence is high, self-service flows freely; when it drops, the system adds verification steps or routes to safer channels rather than blocking customers outright. The fragile points are predictable: login, password reset, checkout, and account changes. These are where attackers strike first, and where improvisation during an incident turns both security and CX into failures. Contact centers become critical infrastructure in this model, not an afterthought—they need pre-built escalation paths, identity-verification procedures, and incident-specific scripts to handle the surge of confused customers without becoming a backdoor for attackers. The question for teams running Zendesk or Salesforce is whether your current incident response playbooks account for how security decisions will affect customer journeys in real time, or whether security and CX are still operating in separate silos during a crisis.
The operational implication is that CRM and CDP platforms must function as continuity engines during incidents, not just customer data repositories. This means maintaining a "last-known-good" state—displaying balances or order status with timestamps, limiting actions whilst preserving visibility, and explaining constraints clearly to prevent panic and retry storms that overwhelm support. Automation becomes dangerous during incidents if it acts on compromised signals, so resilient teams prebuild fallback modes that switch to conservative routing, narrow bot capabilities to safe tasks like status updates and FAQs, and add guardrails around sensitive actions. The coordination required between security, IT, and CX is non-negotiable; without it, teams end up improvising under pressure, which is precisely when both security and experience degrade fastest. For support leaders, this means treating security resilience as a CX design problem from the start, not a compliance checkbox added later.
“Always-on” customer experience has become shorthand for availability: 24/7 support, globally distributed channels, elastic cloud infrastructure, and aggressive service-level agreements (SLAs). But the last few years have exposed that when customers can’t get through, access accounts, or trust what