Monday, September 15, 2014

Hey security managers, go hire some marketing people for your team

This is not a plea for organisations to start actively hiring people away from vendor product marketing teams. But if you want to look for people to point the finger at and explain why you aren't getting the budget required to actually secure your environment, product marketing is a good place to start.

There were 2 key messages attendees should have taken away from the Gartner Security & Risk Management Summit in Sydney a few weeks ago:
  1. Security priorities tend to be set based on the threat du jour and audit findings.
  2. Security teams need to get better at marketing.
Here's the problem:
  1. Sensationalist headlines sell stories, which attracts more advertisers. This means the threat du jour will get the most airtime.
  2. People who hold the keys to budgets read headlines, which perpetuates the problem.
  3. Product marketing teams know this. So, to get more inbound traffic to their websites, the content creation and PR teams craft "stories" and "messages" around the threat du jour.
  4. Publications notice that vendor messages are in line with their stories, which fuels the hype.
It's like how seeing something on fire makes us think about checking whether our insurance covers fire damage. Meanwhile, the front gate's been broken for the past week but we've left it alone because no one's stolen anything from the house yet.

How can an internal marketing campaign driven by the security team help? You won't be able to stop the hype that builds up around the threat du jour. But as an internal team, you should know what the organisation you work for really cares about in business terms. Take audit findings as an example. While rather boring, translate audit findings into tangible, financial implications for the business and you suddenly have something worth talking about as an overall program instead of a checkbox to tick (which is unfortunately how a lot of internal security budgets get signed off).

As a starting point, take a look at my tongue-in-cheek post about contributed articles. While laced with sarcasm, the structure of my "meaningless contributed article" template works (because it's a structure many are subconsciously used to) if the content holds up. Ensure you have the following points covered:
  • Detail the industry trends that are affecting the organisation.
  • What are independent sources (both internally and externally) saying about them?
  • Why should the business care (don't use technical terms)?
  • Outline some meaningful metrics (an interesting metric does not necessarily mean it's useful - ask yourself if anyone in the organisation will care).
  • What does it mean in financial terms for the business if something is not done?
  • What have other organisations done to solve the problem?
  • What are the steps the organisation you work for need to take and what are the benefits (again, don't use technical terms)?
The mistake many of us make is in thinking marketing is easy; it's not. And it takes good marketing to sell security internally. Crafting an article can help hone in on what really matters and justify budget allocation, which makes it easier to ignore the noise.

Great marketing focuses on what matters by simplifying the messages and communicating the value, be it emotional or financial. This is what most security teams do not know how to do, which is why budgets are not allocated to fix that lock on the front gate. Instead, budgets are spent on fire insurance.

I know this is ironic coming from me as I work for a security vendor. But if security teams hired marketers to communicate the things that matter to an organisation's security instead of the threat du jour, we as an industry will benefit from it.

As an aside, ever notice how many security companies have the word "fire" in their name?

1 comment:

mike waddingham said...

Good post!

Marketing comes down to communicating your 'value proposition'. I've run a couple of large-scale Identity and Access Management programs and had success when I've kept to the key messages that support the value delivered by the program. For example, for IAM, repeating security compliance, ease of integration and privacy controls is a critical part of the marketing effort.

Branding is also very important. Creating a recognizable internal brand (logo, name, tag line, colour scheme, etc.) can really establish the program across the enterprise.