Do We Need a Marketing Manager for the Security Team?
Check out this post by Gabriel Friedlander of Wizertech Informatics Pvt. Ltd. for the discussion that was the basis of our conversation on this week’s episode of Defense in Depth. Steve Zalewski and I welcome our guest Laura Deaner , CISO, Northwestern Mutual to debate these issues around what would be the value of having some internal PR or marketing for the security department.
The security team needs help with messaging. Internal comms are important for getting the company on the same page, and security definitely has issues getting themselves heard. It's often only through mandatory security awareness training. There are numerous benefits of having that kind of support. "Marketing talent can improve many areas of security program: reporting, user behavior, engagement with IT, onboarding processes, budget asks, board communication, etc," said Omar Khawaja , CISO, Highmark Health .
How should we be crafting the marketing message? Given that we need the people to take action, it's important that the person doing the work is customer-oriented, not company oriented, noted Mark van Horik of ProteQtor IT Security . ?? Adrian Taylor of 德勤 provides the following guidance: "If we all think of who the stakeholder is, what’s happening in their world and why they should care about what’s being put in front of them, then that’ll go a long way."
Why the heck do we even have a security department? While there was plenty of commentary of not overwhelming your audience ( Ron Craig of Info-Tech Research Group ), the need to engage your stakeholders ( Nick Sifniotis of Diamond Hand Software), and keeping policies short ( Edward Gardner of New England Safety Partners ), the real goal is for the company to actually care about the need for security and see the value of the security team. "If your workforce members don't know who you are, what you do, what's required of them, and how to engage your services, then you're just doing security in a vacuum and will never build a security culture," said Mark Gilman of Signify Health .
Should you tie compensation to driving a more secure environment? Laura Deaner was very bullish about building financial incentives into a security culture. We learned about some organizations that were giving out iPads to developers who discovered the most bugs. But Steve Zalewski questioned why shouldn't we use the "stick" method to drive better behavior? We give the employees security awareness training, an effort that is usually dreaded. Why not create consequences for willfully ignoring security procedures?
Listen to the full episode here, check out the blog post to read the full transcript, and make sure you subscribe via your favorite podcast app so you don't miss another episode.
Thanks to all our other contributors (witting and unwitting): Sarah Moffat , Kendra Ross ?? , Ashley Chackman ??? , and Ram I.
Huge thanks to our sponsor, IANS Research
Join us NEXT WEEK, Friday [11-18-22], for "Hacking Cybersecurity Budgets for 2023"
In observance of Veteran's Day, there will be no Super Cyber Friday this week. But be sure to join us when we return next Friday, November 18, 2022 for?"Hacking Cybersecurity Budgets for 2023: An hour of critical thinking about how to invest in the right products to maximize your return."
It all begins at 1 PM ET/10 AM PT on Friday, November 18, 2022 with guests Pankaj Goyal , senior vp, Safe Security ?and Ngozi Eze ,?CISO, 利维·斯特劳斯公司 We'll have fun conversation and games, plus at the end of the hour (11 AM PT/2 PM ET) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Safe Security
Cyber Security Headlines
In observance of Veteran's Day, there will be no "Week In Review" live show this Friday, November 11, 2022. But we will return Friday, November 18, 2022 for a short 20-minute discussion of the week's cyber news.
领英推荐
Thanks to this week's headlines sponsor, AppOmni
Join CISO Series LIVE in Clearwater, Florida on 01-10-2023
CISO Series is coming to Clearwater, Florida for our first live in person recording at the?Convene conference brought to you by the National Cybersecurity Alliance . We’re going to be the opening night’s entertainment for the event, which will be happening on January 10th, 2023. But the event continues until the next day on January 11th, 2023.
Register here?and if you use this link you get 15% off. Discount code of “CISOSERIES” is already applied.
Huge thanks to our sponsors:? KnowBe4 ,? COFENSE , &? Fortra's Terranova Security
Jump in on these conversations?
"Need help determining what to ask for salary"?(More here)
"How to propose a bug bounty program for a Fortune 500 company?"?(More here)
"Frustrated with lack of 'entry level' security roles"?(More here)
Register for all future?Super Cyber Fridays
Save your spot?and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
SVP & CISO, Nordstrom | Future-Focused Tech Executive | Champion of DEI | Driving Digital Transformation for Strategic Business Growth
2 年Love this discussion! I think there's immense value in embracing a "marketing" mindset, especially for education and outreach initiatives.
??Human Risk & Employee Engagement Leader ?? OSINTer by night
2 年Thanks for the mention David Spark. I like to think of marketing in security as explaining the "why should it matter to me" part of security.
AEM Architect
2 年Me being recognised by LinkedIn for my contribution to the article.
UNC Health, CISSP, CISM, CPHIMS
2 年This conversation has a direct parallel to the conversation that started a century ago in healthcare - basic sanitation. Wash your hands. Wear PPE. There was a lot of skepticism when it was introduced into clinical workflows. Now, after a lot of data, communication, training, and accountability, it’s just part of the job. InfoSec needs to be raised to the same level of awareness for basically the same reasons.
Passionate about marketing that is really meaningful ★ Helping businesses build genuine relationships ★ Tech should serve us, not rule us ★ Turning marketing into a force for good (and not just generating leads)
2 年Thanks for quoting me, David! I would like to add to this discussion that you should not regarding 'marketing' as a department/function, but more as a way of thinking: every thing you do is customer-oriented, where as the 'customer' can be the person you are 'selling' to, or it can be your colleague who you want to adapt a certain way of thinking or behaviour. Marketing is becoming more and more the 'glue' in an organization. Why? Because it's marketing's mission to understand the customer and align their interests with those of the organization. That customer-centric mission can be overlaid on other challenges within the organization. Think about hiring new talent (the rise of recruitment marketing) and now also security (the rise of security marketing?). This latter should not be confused with the marketing of security tools, that's the selling part. Marketing and Security are in that perspective the same. Not to be regarded as departments but as an integral part of the organization. Where Marketing is the binding part ('glue') is Security the protective part ('shield'). Everyone in the organization should have in their DNA to be customer-centric and protective. Often not a reality, but a nice goal to strive, I think??