The comment left on my previous entry led me to an excellent blog at http://www.emergentchaos.com/.
One of the contributors to that blog, Arthur, makes an interesting and very true point: "security is 90% about marketing and sales and 10% about technology." I've made similar comments throughout this blog that managing risk is very much about dealing with perceptions and being able to communicate the right messages.
One of the ways I've been doing this recently is to present a list of risks to product owners and ask them the questions "how concerned are you about each of these risks?", "how well do you think you are doing in mitigating them?" This approach has led to a number of very frank and revealing discussions where not only have my audience learnt something but I've become more aware of what the business concerns are and taken feedback on how to better communicate security issues to a non-technical audience.
In fact, I'm working today on various related follow up processes: in particular making sure that all of the right resources are easily available and that communication of how to get to them and use them is clearly stated. I'm sure that this will be a continuing theme.
Comments (1)
An interesting thought is the converse, or the quasi converse.
Marketing without security and confidence that the marketing campaign engenders in the organisation doing the marketing, tends to fail.
However security concious you are, market to me in a sloppy manner and I just know I can't trust you. Make your marketing tight and make me aware that you care for my needs and I may ask you to quote for my business
Posted by Tim Trent | February 27, 2007 12:30 PM
Posted on February 27, 2007 12:30