Why Security Needs to Blow Its Own Horn

Thornton May says CSOs couldn't sell water to a man on fire. How can they get the hang of security marketing?

By CSO Contributor

June 01, 2003 — CSO — Thornton may talks in CAPITAL LETTERS. The longtime IT consultant and observer (and sometime vendor executive) is given to extreme phrases and inflammatory ideas, all expressed with maximum excitement. May aims some of his most vitriolic opinions straight at the security community, which he says has misbranded and miscommunicated itself into organizational irrelevancy. His solution: a "geek-to-suit messaging architecture" to help information security pros connect with corporate leadership. May discussed the successful branding of security with Executive Editor Derek Slater.CSO: What got you going on geek-to-suit messaging?Thornton May: I've spent the past 17 years watching CIOs slam into the brick wall. I think technology's been misbranded. Brands make things easier [to understand]. Brands are a promise. Brands embody trust, basically. Right now, if you look at what's happening in the IT world, there is a total lack of trust. And we're moving to a totally customer-driven world, where the customers are very brand aware and brand savvy.

With regard to the security area, in my days with [managed security services provider] Guardent, I did a giant jobbasically an analysis and assessment of what was going on, securitywise, for a major client. And its [security] guys made CIOs look eloquent. If you look at the IT message ecosystemwhat messages are being sent, who are they being sent by, what form are they being sent in, who are they being sent to and the ultimate impact of their receiptthere is so much wasted effort. [The messaging] is not designed to produce an efficacious impact. That is the real challenge for CSOs right now: Their message is so totally uncompelling.Given the world we live in today, how can that be?Exactly! How can security be uncompelling in a world that is screaming for it? These [CSO] guys couldn't sell water to a man on fire. They are gifted, gifted nonbranders! The reason is that they never got the idea that 80 percent is good enough. If I have to go to one more conference where everybody gets up and throws themselves on the cross of, "You will never be totally secure...." OK, then, how secure are we? "Uh...I can't tell you." OK, well then I'll just sit here and do [absolutely] nothing! Because that's what you're doing for me. The security guys offer no path, no promise.What about the hypothesis that they are so completely earnest as to be incapable of BS?No, I don't even think that's it. That's putting it in a cloak of nobility. I think they're so into their cult, their own Kool-Aid, that [they say,] "I'm the only person who knows how bad it is." The way organisms survive in a high-stress world is they collaborate and work together. Security people do not collaborate and do not work together. I don't see them rolling up their sleeves and saying, Let's solve this problem together.We certainly have seen repeatedly the amazing rift and dislike between the infosecurity guys and the corporate security guys.There's been no attempt to make them play nicely together, culturally. Basically, the Mensa guy walks in and calls corporate security the "dog-and-gun guys." And those guys call the computer guys "the geeks." They're not on the same page. They're not playing on the same team. Their social networks have never been brought together.What's your solution? Is it a set of processes for translating the "geek" message into something that the CEO can understand?The secret is that there is no geek message. There can't be. I went to a major event sponsored by McKinsey, with the top guys at Shell. The McKinsey guy keeps saying, "You've got to get IT aligned with the business." And the chairman of Shell says, "Son, I don't think you understand. At Shell, there is no such thing as an IT project. There are business projects that have IT stuff in them." There's no such thing as a security project. Right now, security is not a feature in anybody's product or service. It could be a critical differentiatorthe new secret ingredient. That's why branding is so important.Have you seen anyone do it right? Does anybody get the concept?Not really. At American Express they're getting there, the whole Blue thing. ["Blue" is an AmEx credit card brand with embedded smart-chip technology for enhanced security in online shopping.] Security was part of that brand, but right now people are puckered up with regard to cost savings. And then security guys label themselves by saying, "This is going to cost you a lot of money, but you have to do it." And CEOs just respond, "I don't have to do it."

• Print