What if we told you that as a security professional, a portion of your responsibility is marketing? You would likely tell us we are crazy. But both of us have experienced "aha" moments in our careers as security professionals, when we realized that part of being a successful security person is knowing how to market ideas to the organization.
All too often, security organizations neglect these foundations in place of technology, process, or compliance. It is natural. Most security experts start as technologists or risk specialists and drift back inside their comfort zone. To illustrate this point, see if the story below sounds familiar.
Acme Co. hires its first CISO, Tanya. She hits the ground running, meeting people and hiring a team. She meets with her peers and describes her vision. The team gets hired and promptly starts rolling out products and tools to match Tanya's plan.
After an initial flurry of success in getting the organization aligned, things stall, as people stop implementing shiny new tools or following newly minted policies. Tanya is confused. She met her stakeholders to explain her vision. She has an email from the CEO saying security is essential.
Frustration in the team rises. Fewer folks in the organization are using the tools or processes. Tanya resorts to the stick part of the carrot/stick and adds more punitive measures.
Security team members start to leave, and stakeholders stop taking meetings with her. They are "busy." Tanya begins to feel that the organization doesn’t "get" security, and she eventually moves on. Sadip arrives as the next CISO, and the process starts all over again.
Why marketing can help
Sadly, we would guess that most of you have been Tanya or worked in her organization at some point. Tanya would have had more success by taking a page from classic marketing techniques. And we know the reaction most security pros are going to have with this suggestion. Many technologists believe that marketing is a soft function that pushes out a press release and runs booths at the conferences.
But in reality, marketing is about two things: building sustained relationships with your customers, and expanding the reach of your business or program by being ever-present in the marketplace. People will get behind a change when they understand and believe in the concept.
To get yourself in the right head space, start by thinking about relationships and reach. These two concepts are the foundation of any good business or program, from selling widgets to fundraising for charity to running a security program.
The core marketing phases
Here's a breakdown of the major phases of marketing and how they are relevant to a security team.
Prep: Do your homework
Answer these questions:
- What business problem are you trying to solve?
- Why is it important?
- Who are your stakeholders, and why do they care?
- How hard will the process be for your stakeholders?
Do your research; these questions/answers will serve as the basis for your marketing plan.
Exposure: Own the channels
Potential or current stakeholders need to know that your security organization or activity exists. Security needs to "own" all the channels to drive exposure and movement to the next phase.
One email is not going to suffice. You need a multi-channel approach—emails, wikis, blogs, seminars, and even those video screens in the cafeteria. Everywhere you can broadcast your message. The key here is that this is ever-present.
Discovery: Double down on reach
Expand your message by directing stakeholders to content you have created that explains your organization and its activities.
The key here is that you need good, relevant content. Do not skimp on this. Believe it or not, your stakeholders are judging your team based on what they see.
For example, you have set up your program to static scan for XSS, while rolling out a training program and a marketing campaign to stomp out XSS in your environment. But the product you ship is not a SaaS website but a BOSE/SONOS speaker. While you are ticking a security box, you are not making it relevant to your audience, which is likely more interested in C++/firmware protections. Tailor the campaigns to your environment—not to check a box.
Consideration: Understand stakeholders' needs
Your stakeholders know about your team and services, but it is unclear that they want to use either one. You must explain how a relationship with your organization meets the needs of your stakeholder.
The key is "their needs," and not yours. You will not foster a long-term relationship with a stakeholder if it is all about you.
Conversion: High-touch, low-friction onboarding
The messaging is out there, stakeholders can discover more, and there is an alignment of needs. This conversion phase contains the most critical step as it sets the tone for the relationship going forward.
Security teams need to be extra helpful at the beginning of the relationship ("high touch") and simplify utilization ("low-friction onboarding"). Simplification will pay off tenfold with connection and reach.
Unfortunately, security teams frequently execute the exact opposite. The security team becomes low-touch ("We made the pitch and moved on") or high-friction ("The activity is way too hard to onboard").
Nurture your stakeholders
If the goal is to build a long-term relationship, how is your team nurturing the stakeholders? How excellent is your team's customer service? Are you ever-present with the stakeholder?
The key here is to be the right partner. Communicate often and well, be responsive, and listen to what they say. Reach out to your internal customers on a prescribed cadence, perhaps once a quarter; be humble by adapting to their needs; and remember the old marketing adage, "It is much easier to retain a customer than to find a new one."
Action items: How to get started in the real world
Almost convinced? Here's a real-world practice that allows you to apply these concepts: security champions.
A security champions program can magnify the reach, relationships, and resources of internal security teams. Security champions are individuals with an existing or newfound passion for security. The program provides a way to channel their interest and energy into positive security culture change for your organization.
Prep
The marketing challenge with security champions is twofold. First, you need to educate the entire organization about the availability of this new program that will make your organizational security posture better. Second, because you're asking for employees to take a percentage of their workweek and dedicate it to this volunteer effort, you must market the program's value proposition.
Exposure
To gain exposure for security champions, start with an email message announcing the existence of the program to the entire company. Aim far and wide with this broadcast because you do not know where the next generation of security champions sits today. They could be in non-engineering roles.
Your goal is to capture anyone with even the tiniest spark of interest in security.
After a broadcast approach for exposure, go grass roots. Start by setting up meetings with specific engineering teams and ask them to advertise the program during their all-hands and team meetings. Schedule sessions with small groups of developers and pitch them about joining the program.
For example, when Chris was building a security champion program for a Fortune 100 tech company 10 years ago, he traveled to Silicon Valley. He went building by building, knocking on cube walls and telling folks about the existence of the new security champion program.
In addition to building from the bottom, you will need to push from the top. Engage with senior leadership, brief them, and ask them to support this effort by sharing the message with their teams.
Discovery
Build a security champions site on your internal network and fill it up with relevant information that "sells" the program.
- Create a presentation that a manager can download and efficiently deliver to their team as a recruitment tool.
- Create pages that proclaim the charter of the program.
- Document the value proposition to both the employee and the employee's manager upon joining; make it easy to read.
- List via a roster of all the existing security champions. You want potential recruits to see this as a burgeoning group that they wish to join.
- Provide a training experience to educate stakeholders about security and get people excited about the topic.
Consideration
You've moved past people knowing you exist and into them thinking about whether to become a champion (or whether to let their team member become a champion). At this stage, you need additional data for them to consume. This is where PowerPoint presentations come into play.
Craft the message to highlight how making this decision benefits the employee (growth in job role), the manager (more secure product), and the company (happier customers because products have fewer vulnerabilities).
If some folks are considering, but need more of a push, you may have to set up individual calls and walk those people through the slides and answer their specific questions about impact. Take these calls and communicate. You'll learn and have the opportunity to update your materials to serve potential future champions better.
Conversion
A high-touch, low-friction champion process has a team willing to take calls with folks, and a simple/precise method of signing up as a champion.
Nurture customer success and retention
Once someone becomes a champion, focus on making them successful in that role. Create an onboarding process with specific, measurable goals over the first 90 days of each champion's time with the program. Provide specialized training only for champions, connect new champions to the monthly champion meetings you host, and identify a mentor for each new champion.
You've invested heavily in landing this person as a champion, so you must take good care of them to ensure they want to continue with the program for years to come. Have a quarterly or yearly cadence of reaching back out to the champion's manager to relay their success. If the manager loses track of their champion, you'll lose the champion in the next year, when it is time to sign up again for a follow-on year.
Make security team marketing the norm
We have seen the value of understanding and utilizing marketing techniques in our security careers. If more security people embrace these ideas, people will view security teams differently and positive change will become the norm.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.