Advocating the rise of the Security Awareness Marketing function

A panel at Computing ESRM summit was asked about the biggest risk to organisational information security:

So how to address the people issue? Well automation can go some way to addressing it, as can appropriate technical controls. But ultimately security needs embedding in the thought processes of anyone handling sensitive information, directly or indirectly. 

Aren't most good security awareness "campaigns" with many of the hallmarks of marketing anyway? I would normally be first in line to advocate focussing on the goal (awareness), rather than the mechanism (marketing). However a lot of current security awareness feels like posters and banner adverts, or painful sermons. Things that are all too easily missed in the age of brand relationships and social media. What's needed is creativity, humour, and techniques to engage and build communities around great content.

Different intent and metrics follow from the paradigm shift: Marketing metrics like social engagement, conversion rates, and effectiveness of calls-to-action come to the fore. The need for multimedia and multi-channel strategies become clearer. As does the drive for engaging content. These metrics can even be shared and benchmarked; by pooling resources and best practice everyone can win together - even fierce competitors (book recomendation: Friend and Foe [affiliate]).

Segmentation, acknowledging the different needs of different groups, and targeting content appropriately; naturally follows from this. As does ensuring that value is delivered to those being reached. My favourite security awareness content is the XKCD below; though it's only going to work for a technical audience:

So what should the future of Security Awareness Marketing look like? People with deep knowledge of the security domain identifying the core messages; targeted at specific audiences; that are then produced and delivered by specialists in marketing and analytics. This may be too much to ask of SMEs but is within reach of many enterprises, and could readily be packaged as a service, or shared, for smaller organisation and general public.

There's a case for saying this shift is already underway; my hope is that by calling for a change of terminology, this progress might accelerate and attract marketers into the field. It's time for the rise of the Security Awareness Marketing function.

What do you think? Let me know in the comments and please share and like to spread the word.

Regards
Andy Boura

Want more news and thoughts on Information Security and emerging Science and Technology? Then please follow me on twitter or LinkedIn by connecting or clicking the follow button above. You may also be interested in some of my other posts.

@andy_boura

Technology, science, and business geek: Information Security Architecture, Risk Management, Software Development, Entrepreneurship, Business & Management.