Houston, security has a branding problem.
People hate us. We’re the no people. The people that hold up procurement. The people that ask nosy questions. The people that spend money.
How do we change the vibe?
Marketing offers us a path forward. There’s two groups – the P’s and the C’s – with four points each. In the P corner, we have product, people, price, and promotion. In the other corner, category, competitors, company, and customers represent the C’s.
Now, think of a brand role model. You, the reader, don’t matter here for this exercise: We want a brand that transcends such small divisions of geography or opinion, one role model everyone knows and can immediately picture in the same way.
Coca-Cola.
Kleenex.
The concept of a mug.
That’s what we want, right? For security to be built in.
Security is a combination of products and services. Beyond that, though, what is our Product? What are we offering people? Where’s our value?
We’re in the business of trust, as the opposite of risk. Security isn’t just a password and an inventory and a configuration and controls. That’s what security needs. But what security is, what we really are, is trust.
Importantly, we — us ragtag DefCon hooligans — must be as consistent as possible when we talk to normal people. Don’t laugh; I mean it. That’s the value we offer the business and the public: trust. We gain trust by being consistently consistent at every interaction point: every 2FA prompt, every headline, every conversation. Running around like idiots, spreading fear, uncertainty, and doubt is not helpful. We wanna argue that SMS-based 2FA is insecure compared to a YubiKey, we do that inside the bubble. Normal people do not care about this; don’t confuse and scare people for no reason. Be nice to people.
Promotion is all about our messaging. We know we bring value to the table, but the business doesn’t believe that; otherwise, we’d all have the budgets of our dreams. This is something we can change! Be consistent. Be kind. Be realistic. We’ve been crying wolf for decades, and all it’s gotten us is the normalization of data breaches as the cost of doing business. How’s that going for us?
I mean, Y2K never happened, right? Forget the fact that thousands worked hard for years to fix it ahead of time.
A second starting point is to drop the security jargon when communicating with the business side. Assume they’re smart people with expertise, but their expertise isn’t ours. Make it relate to something they already know. If they know what a cup is, we’re the cardboard sleeve. We’re the personal protective equipment. We’re the lifeguards. We know we have value, and we must be able to communicate that in a way that makes sense to the people we need on our side.
Part of Promotion is teaching people basic security hygiene! Most folks today know how to use a microwave, right? Well, back when microwaves were the hot new kitchen appliance of every housewife’s dream, people didn’t know any of what is common knowledge today. Ads and other promotional material, including prominent demonstrations, had to teach the public how to use these newfangled devices. The know-how didn’t just appear in the public consciousness out of nowhere! It took work on behalf on the companies wanting to sell us the product to show us how to use it safely and why we would even want this new, expensive thing. Look back at old advertisements, or watch any period drama.
Hell, binge-watch ER and watch how the technology changes.
Security is any Place where we interact with normal people. That’s every time people click a phishing test link. Every data breach notification. Every time we yell about patching the latest critical vulnerability. Remember, it’s about consistency. No wonder people hate us! We’re the embodiment of the “well actually” meme, and, worse, we’re constantly in their faces about it.
This is where we must learn the fine art of compromise. Remember, we argue inside the bubble. There’s enough bad actors outside the bubble; let’s not make it harder for ourselves. We must pick our battles wisely. If we can make the user-level controls more user-friendly, do that! Like it or not, the associations people form on the user side affect how we have conversations on the business side. We’re all on the same team. Let’s act like it.
Security is a luxury Product because we charge a premium Price. You need a phone – preferably a modern smartphone. You need apps, and passwords, and time and effort and energy to jump through the extra hoops MFA requires. Sure, there’s low-cost ways to get a phone and service, but there are still various other factors in someone’s life that can be huge barriers to adaptation.
Market Price for a good or service settles on what people will pay for the good or service, based on the value it has to them. How does a person determine the value of a thing to them? In the Product, Promotion, and Place.
We all know we should floss. As a product, floss is cheap and easy to acquire. When was the last time you flossed?
Exactly.
If I were a stressed-out single parent working a full-time job and a side hustle to make ends meet, enabling MFA on my bank account would not be at the top of my priority list. If I were a stressed-out executive worried about making enough sales to make payroll that week, funding security isn’t a priority. Worse, when we don’t get funding, and nothing bad happens out of sheer luck, that’s just going to reinforce the perception that we’re all snake-oil soothsayers.
Basically, we’re doing a shit job of proving our value to the business and we’re wondering why no one wants to give us resources.
So what can we do about it?
Let’s strategize with the “C”s, and let’s play to win.
What kind of field are we fighting on?
Categorically, security is regulated to the IT space with a special space set aside for physical security. IoT and critical infrastructure are slowly developing a need for more security. We could get more granular here, and define the category as “Identity Providers” or “SIEM Platforms”, but for this purpose that’s too much detail. When we compete for rent-free space in someone’s head, security is technologic and physical.
This flows straightforwardly into defining the Competition. What are the alternatives to having good security? One is the obvious opposite – having poor security. Not an alternative that many of us would recommend, but it is technically an alternative. Risk accepted. It’s cheaper to throw money at fixing incidents than it is to prevent them.
Whisper the word “recall” at a manufacturer, I dare you.
Whatever risk is leftover is the cyber insurance company’s problem. That’s what insurance is for, right? Whatever risk is leftover from that is what we have to work with. It sucks to start at the basement, but hey, the only way out is up.
What about the Company makes it special? Another often-repeated line most of us know is “know thy business”. What is their brand, and how can security contribute to that? A good start is not destroying customer and/or investor trust with a poorly handled data breach. That gets us to a good neutral position, but we can do more. We can boost that trust by managing the budget we get wisely and investing in building a solid foundation, meeting compliance goals along the way. That means doing our jobs, and doing them well.
If we’re selling a Product, we must have a Customer: our end-users and executives. For every successful product, there’s a hundred failures for lack of Customers. Organizations rise and fall around the customer’s wants and needs, and so must security. No customers, no sales – no business, no security needed. That means more talking to the customers and less making punch lines of them.
Will it be easy? Of course not. It is, however, possible — as long as we all pull in the same direction.
Cyber security Story teller 
Leave a comment