Have We Nailed It, Or Do We Still Need To Talk About Security Communications?
In 2011, I published a report titled “How To Market Security To Gain Influence And Secure Budget.” I am now going through the process of refreshing this report, and it got me thinking:
- What has changed in the space of security communications and influence since 2011?
- Do I still need to write about the importance of security communications and marketing? Or have we nailed it?
In 2011, we desperately needed to have that discussion. Back then, when people talked about security communications, it was usually in response to one of the communications controls in ISO 27001/2. They usually achieved it by running a mandatory security training program once a year. Tick — we’ve communicated!
This made my job of writing about this topic easy. There was a lot for us to do!!!!
My 2011 report suggested that the once-a-year approach to security communications — security awareness modules — was a very limited view of “communications.” We needed to extend the notion of communication much further: Security needs to market itself to many stakeholders up, down, and across the organization. For example, our engagement with senior execs back then was minimal; no wonder we struggled so much with visibility and influence and weren’t able to get budget. We neglected whole groups, such as developers, architects, lines of business, and other influencers who ultimately support us or make our lives difficult. Things have changed . . .
In 2011, 51% of security leaders believed that lack of visibility was a challenge for them. Fast-forward to 2018, and only 19% of security leaders believe that lack of visibility is a challenge. That’s a huge drop. Is that drop because we’ve nailed this field? Have we become so good at security communications that this is no longer an issue? If so, should I even be covering it?
I remain very passionate about the topic of security influence and communications, so I would like to keep writing about it. Not only can we not afford to sit on our laurels (lest we return to those dark days), but I also want to share some of the best practices that smart organizations are employing. For example, there are many security executive influence services in the market right now; some have been very successful in effecting real and lasting change. There are equally many excellent end user tools and services that mercifully extend well beyond the yawn-worthy training modules. And there are amazing cyberinfluence, -engagement, and -awareness teams. Cyberinfluence managers are doing great things to bring about security cultural change, such as escape rooms for end users, terrific videos, and many other activities that we all need to know about.
But what else? How else is this field of security influence and communication changing? What else should I be writing about? What do you want to know?
So let me know your thoughts — I’m always so inspired by your thoughts and comments.