In 2011, I published a report on “How To Market Security To Gain Influence And Secure Budget”. I am now going through the process of refreshing this report, and it got me thinking:
What has changed in this space of security communications and influence since 2011? And
Do I still need to write about the importance of security communications and marketing? Or have we now nailed it?
In 2011, that discussion was desperately needed. Back then, when people talked about security communications, it was ‘usually’ in response to one of the communications controls in ISO 27001/2. They ‘usually’ achieved it by running a once a year mandatory security training program. Tick – we’ve communicated!
This made my job of writing about this topic easy. There was a lot for us to do!!!!
(for those interested) In my 2011 report, I suggested that the once-a-year approach to security communications (security awareness modules) is a very limited view of ‘communications’. We needed to extend the notion of communication much further – security needs to market itself to many stakeholders up, down and across the organisation. For example, our engagement with senior execs back then was minimal – no wonder we were struggling so much with visibility and influence, and weren’t able to get budget. We neglected whole groups such as our developers, architects, lines of business and other influencers who ultimately support us or make our lives difficult. Things have changed……
In 2011, 51% of security leaders believed that lack of visibility is a challenge for them. Fast forward to 2018, and only 19% of security leaders believe that a lack of visibility is a challenge. Statistically, that’s a HUGE drop. Is that drop because we’ve nailed this field? Have we become so good at security communications, that this is no longer an issue? If so, should I even be covering this?
I remain very passionate about the topic of security influence and communications, so I would like to keep on writing about it. Not only can we not afford to sit on our laurels (lest we return to those dark days), I want to share some of the best practices that smart organisations are doing. For example, there are many security executive influence services in the market right now – some of these have been very successful in effecting real and lasting change. There are equally many excellent end-user tools and services which mercifully extend well beyond the yawn-worthy training modules. And…. There are amazing cyber influence / engagement / awareness teams. Cyber influence managers are doing great things to bring about security cultural change such as escape rooms for end users, terrific videos and many other activities that we all need to know about.
But what else? How else is this field of security influence and communication changing? What else should I be writing about? What do you want to know?
So let me know your thoughts – I’m always so inspired by your thoughts and comments.
