Last week’s post was a bit of a downer; it lays out an important but bummer truth for security people: your goals will never be a top priority for your organization. I also describe the best way I’ve seen to succeed within these constraints: push people to standard, shared service solutions and invest your effort toward protecting those solutions.
On its face, this strategy seems to be intuitive to most veteran security leaders. I’ve even heard from industry friends respond, “Well, duh, Dylan. Did you just now figure this out?” with a wry smile.
I’ve seen plenty of people in security take different approaches. Further, establishing this core approach is foundational to further (and more novel) strategies that build on it. Today, I explore strategies to explain the value of security. This will be a key pre-requisite in credibly pushing your organization toward standard solutions.
Luckily, there’s already best practices in this space: educating people about value at scale is called Marketing and educating them about value individually is called Sales.
We’re gonna steal their ideas today.
Step 1: Understand your Audience
This is such ingrained principle that Marketing experts forget that it sometimes needs to be said: if you want to persuade someone that what you have is valuable, you first must figure out what’s important to them.
Good marketing teams spend a lot of time researching the perspectives and values of their intended audiences. Tom Burrell in the 80s and Subaru in the 90s are frequently-cited examples of great delivery on this approach, and modern marketing thought leaders are refining it. In many ways, the data-driven marketing trend of the last 10 years is its natural evolution: more knowledge about someone allows you to tailor your ads to them, and thus the performance of each impression.
Finding out what’s important to people inside an organization is substantially easier than on the open market. Your intended audience is often small enough to allow you to ask them individually, and you can often substitute leader perspectives for entire teams. You can often get organizational and team priorities from periodic staff meetings, and often learn just as much about a leader’s goals from omitted topics as what they do discuss.
Step 2: Connect with your audience’s goals
Once you know what someone cares about, the next step is explaining how you help them achieve it. For security, this is often about loss avoidance: how your accomplishments reduce the chance that their goals will fail because of an incident.
Sometimes, you can even make a case that good security directly helps them with their goals. The most frequent example is usually in establishing trust with external customers: if they are worried about whether your organization will protect them, they will be less likely to buy. Good security (and commensurate customer-facing security marketing) can meaningfully improve revenues and margins for some products and markets.
When possible, show examples of how past and current security efforts support your audience’s goals. This is easier one-on-one, but is common in customer-facing marketing too.
Step 3: Call to Action
Once you’ve established trust and credibility with your audience, you need something from them. For most of them, that’s the whole point, right? Even if you don’t think you need anything specific from the audience, ask for something anyway. Every time someone does something you ask, it helps build a pattern and mindset within them, that “I’m a person who helps security.” At scale, this can be a powerful cultural force that can make it much easier for you to get things done.
A Call to Action (CTA) is a marketing term for a button on a webpage that starts the process you want them to follow. CTAs work great; many marketing firms have a rule to have at least one CTA on each webpage. CTAs also help lower the barrier for people to take the action you want.
Note: CTAs are most useful in employee-facing communications. There are restrictions in an audit relationship that removes most value from a CTA and in customer-facing security messaging, the sales or marketing rep will manage the overall customer experience, so let them make the CTA.
Delivering on this three-step approach differs slightly for 1–1 or small-group dynamics (Sales) than it does for broad messaging (Marketing).
Remember your role: you are not a cop; that is the path toward failure and frustration. Security is not anybody’s top priority, so to improve it at your organization, you need to meet people where they’re at and help make their next best step as easy as possible.
It can be helpful to think of all security outreach as marketing: it persuades people to do what you want. Examples include:
- Education and Awareness campaigns
- New Hire handouts
- Reference Architectures
- Security Intake pages
- Organizational procedures
With all marketing, you balance concision with helpfulness. On one hand, it needs to be complete enough to be meaningful. On the other, every additional word increases the chance that you lose someone. Good marketers know that the best way to improve the stickiness of the message segment by audience. This allows them to tailor their message to exactly and only what each market segment wants and needs to hear.
To deliver on this strategy, it can be helpful to write a little charter for each piece of marketing, consisting of:
Everybody learns differently. If a message is important for many people to understand, consider delivering it in different ways:
- “Sales Slick” style: lots of white space, color, and pictures. This works best for the most people, and should be your standby for diverse groups such as new employees and distracted executives.
- Presentation style: The “video” version of the Sales Slick, the same design approach should apply.
- “Policy” style: sometimes you just have a lot to say, and the words you use are important. Lawyers, auditors, and perfectionist IT engineers usually eat this up.
- “Demo” style: Demonstrating what you want people to do using a concrete example can make it real in ways a policy never can. Recorded or live.
- Q&A style: Usually best paired with a live presentation or demo. Encouraging people to ask questions about can really increase understanding and buy-in. Even better, it often identifies flaws so you can improve.
The main message
- “Summarize for customers how our security is strong so they should trust us.”
- “Explain remote work expectations to work-from-home employees.”
- “explain to the contract review team what kinds of clauses are unacceptable”
- “Explain to developers why they should pay attention to SAST”
- “Explain to developers why good CI/CD governance helps average release quality and fewer security bugs.”
- “Explain to workers how and why to report a phishing attempt.”
Bonus: What does success look like?
- “More assets in the CMDB will have accurate metadata.”
- “More servers will be patched before the vulnerability scans start.”
- “Fewer lost deals where our security was a factor”
- “Fewer production releases introduce new application vulnerabilities”
- “More people report phishing attempts”
- “The CEO clicks fewer bad links”
Connecting with your audience
Not every piece of marketing material you release should fully connect back to organizational goals. Remember, you’re going for concision, too: don’t make them scroll past some copypasta about Leadership Principles if they’re just looking for the password complexity rules.
Good marketers have the same problem, and solve it with consistent reminders, visual cues, and organization. You can too.
You may want to enlist help from marketing professionals; there’s an art to this. Here are some easy thoughts to get you started:
- Have a security website for each major audience segment, and put every segment-appropriate piece of marketing on it.
- Create a security logo and tagline that you apply to all marketing materials. This should remind people of why security helps deliver your organization’s goals. Bonus: link your logo to an appropriate security webpage.
- Each website should cover the major ideas of security: why it’s important to that audience, what they need to know about it, and how they can find more.
- Make your websites organized and searchable. Use menus and breadcrumbs to help people see how the content in front of them fits into the overall picture.
- Use CTAs. Almost all content (especially on the worker-facing website) encourages the reader to do something. If someone is reading the content, they are likely in the situation. It’s so easy to put a link at the end of the page to do the thing you want. The other hidden benefit of a CTA: it can expose other practical barriers to success: if it’s hard to add one because there’s no easy way for them to follow your advice, that’s a bigger problem.
Originally published at https://saltyonsecurity.net on February 18, 2022.