Security marketing should be much more than just end user security awareness. Why? In order to evolve the security organization from a reactive silo of technical expertise, to a proactive business partner and enabler, stakeholders will need to be reeducated about the role and value of security, and CISOs will need to establish their own personal credibility as a C-level executive who deserves a say in strategic decision-making. Without effective internal marketing, security efforts will go unrecognized and critical initiatives will fail. For example, one security manager I recently spoke with presented an organizational-level security strategy to the CIO in the hopes of obtaining further resources and funding. But the CIO responded: "Don't you just do backups and viruses? Why do you need more resources?" This CIO actually had no idea that the security team was responsible for security risk management, project consulting and advisory, security strategy, and other nontechnical strategic security activities.
For an in-depth look at applying marketing principles to all types of security, see from CSO's
At Forrester, we've heard from many executives that increasing the visibility and influence of the security team is a key area of importance (51% of security decision-makers see lack of visibility and influence within their organization as a challenge, or major challenge); there are still several reasons why security groups are not yet excelling at a disciplined marketing approach.
But CISOs must focus on marketing security up, across, and down. A value gap exists in which security groups are unable to communicate and market their benefits, updates, and contributions to the enterprise and the value of engaging security teams. To close this value gap, information security must be marketed to three distinct levels within the organization, tapping a different approach for each constituent.
So how can CISOs and security teams overcome these boundaries, to start running security like a business that incorporates an effective marketing strategy? After observing how organizations approach the issue of security communications, Forrester has developed four steps to help craft a plan that clearly identifies who to communicate with, and how to communicate with them: