Forrester's four steps for CISOs marketing security

While many security groups focus their communication activities on end-user security awareness, they have stopped short of planning for the fundamental activity of presenting their products, services and capabilities to their key stakeholders

While many security groups focus their communication activities on end-user security awareness, they have stopped short of planning for the fundamental activity of presenting their products, services and capabilities to their key stakeholders. In a recent Forrester survey of security decision-makers and influencers, 54% of respondents indicated that their CISO or equivalent reported to a C-level executive. Additionally, 46% of CISOs now report outside of IT.

Advocating security in the organisation

As security reports higher into the organisation, reports more often outside of IT and takes on more responsibility, it will be more essential than ever to have an effective marketing and advocacy plan in place. Even as the CISO reports higher into the organisation, many executives and stakeholders still view the security organisation as a policy enforcer, not an enabler. If you as a CISO want to evolve your security organisation from a reactive silo of technical expertise to a proactive business partner, you'll need to re-educate stakeholders about the role and value of security and you'll need to establish your own personal credibility as a C-level executive who deserves a say in strategic decision-making. Along the way, you'll need to continue to build the business case for funding and for early inclusion in important business and IT initiatives.

According to Forrester's security survey, 51% of security decision-makers and influencers believe that lack of visibility and influence within their organisation is a "challenge" or "major challenge" for them. In addition, 66% of these respondents find lack of budget to be a challenge or major challenge.

Don't you just do backups and viruses?

One security manager Forrester spoke to presented an organisational-level security strategy to the CIO in the hopes of obtaining further resources and funding. The CIO responded: "Don't you just do backups and viruses? Why do you need more resources?" The CIO had no idea the security team was responsible for security risk management, project consulting and advisory, security strategy and other non-technical strategic security activities.

Security initiatives don't necessarily fail as a result of bad technological choices or products. Rather, they fail because security leaders don't understand the business needs or complex organisational rules structures or don't engage with the appropriate stakeholders. Data leak protection (DLP) projects in particular fail for this reason. The technology is not difficult to deploy; the difficult part is mapping and understanding data flows, identifying and assessing risk and defining appropriate policies.

CISOs need to engage with business owners, system owners, software developers and vendor managers to ensure projects engage with security at the earliest stages. This occurs by sheer luck in some organisations. Only a few seem to have created mature governance and two-way communication models to allow this engagement to happen formally. If various groups wait too long to engage security, security is pegged as the bottleneck or "the group of no" when they have to raise security and risk concerns. This happens frequently during the negotiation and finalisation of outsourcing contracts.

CISOs know that they have to start running security like a business, so they pay close attention to finances, governance and process. But what business brings its products or services to its customers without marketing? The key for security is to overhaul its stereotypical thinking about marketing. It needs to take marketing seriously and it needs to take a disciplined approach.

Four steps to successful security marketing

After observing how organisations approach the issue of security communications, Forrester has developed four easy steps that can help you create a plan that clearly identifies whom in the organisation you need to communicate with and how to communicate with them.

Step 1: Define key stakeholders

Many security professionals are tempted to begin a marketing plan with channels such as the intranet, leaflets or posters. There is a temptation to limit communications to the average end-user. It's important to think of every major business function or role as an audience (such as HR and finance). You should also think of every major IT function or role as a critical audience, particularly roles such as enterprise architecture, application development and IT infrastructure and operations. To influence effectively, you need to understand who it is you're trying to influence.

Once you have identified your audience, you need to understand what their communications needs are. If you're not certain of what your audience needs, ask them! You will save a lot of time, money and wasted energy by avoiding going down an unnecessary path. For example, one security team surveyed their enterprise to determine what services the enterprise needed from them. They were surprised to find out that the enterprise didn't even know a security team existed, much less how to contact them.

Step 2: Define key messages for each stakeholder group

Once you understand and have defined what your key audience groups need, you can decide what you want to say to them. Different audiences need different messages and delivery mechanisms to optimise the comprehension of those messages. For example, you want application developers to be aware of secure coding best practices and you want sourcing professionals to engage security early in any outsourcing contracts. You can only communicate a certain number of messages at once, so decide what they are and keep them concise. A great example of this is end-user awareness campaigns. Steer away from communicating your entire security policy, but focus on the behaviours that pose risk and require change and develop your messages accordingly.

Step 3: Determine key communications campaigns

Once the messages have been determined, it's time to decide how to disseminate them. Create one or more campaigns for the delivery according to your audience and their needs. There are many effective communication campaign delivery methods: brochures, comics, computer-based training, e-mails, events, leaflets, fact sheets, e-newsletters, newspapers, phone, posters, radio, screen savers, SMS, training, TV, video and website development, among others.

Each of these methods has its own advantages and disadvantages. A thorough understanding of your key audience's needs will go a long way in selecting the best method. You may even want to consider multiple methods. End-users often require entertaining messages, whereas senior executives prefer straight-to-the-point, fast communication. European organisations need to consider details such as the different languages spoken by the audience and any cultural barriers that may prevent or enhance effective communications.

Step 4: Execute security communications plan

This is perhaps the most important step and can mean the difference between a well implemented plan that focuses on the audience and a mediocre plan that focuses on the needs of the security group and its technical view of the organisation. One or more staff members can implement separate campaigns (for example, traditional user-awareness programs), depending on the subject matter expertise required. However, one person should oversee the general direction of the plan. This ensures key messages are adhered to, as well as achieving a timely delivery of the campaigns.

This is an excerpt from the Forrester Research report How To Market Security To Gain Influence And Secure Budget (January 2011) by Jinan Budge, senior analyst & advisor at the Forrester Leadership Board for Security & Risk professionals.

Read more on IT strategy