How to market IT security to gain influence and secure budget
Don't shy away from the "M" word, says Forrester's Jinan Budge. Here's a 4-step security marketing plan.
By Jinan Budge, Forrester Research
February 22, 2011 — CSO —
What defines IT marketing? It's the business activity of presenting IT products, services, and capabilities to constituents in a way that makes them eager to fund and utilize. While many security groups focus their communication activities on end user activity awareness, they have stopped short of planning for the fundamental activity of presenting their products, services, and capabilities to their key stakeholders. There are many reasons given for missing this critical step, such as attitudes of security professionals, lack of business acumen to develop effective marketing and communications strategies, and the ever present too-much-work reason. But as security decision-makers report higher into the organization and take on more responsibility, it will be more essential than ever to have an effective marketing and advocacy plan in place.
Security marketing should be much more than just end user security awareness. Why? In order to evolve the security organization from a reactive silo of technical expertise, to a proactive business partner and enabler, stakeholders will need to be reeducated about the role and value of security, and CISOs will need to establish their own personal credibility as a C-level executive who deserves a say in strategic decision-making. Without effective internal marketing, security efforts will go unrecognized and critical initiatives will fail. For example, one security manager I recently spoke with presented an organizational-level security strategy to the CIO in the hopes of obtaining further resources and funding. But the CIO responded: "Don't you just do backups and viruses? Why do you need more resources?" This CIO actually had no idea that the security team was responsible for security risk management, project consulting and advisory, security strategy, and other nontechnical strategic security activities.
At Forrester, we've heard from many executives that increasing the visibility and influence of the security team is a key area of importance (51% of security decision-makers see lack of visibility and influence within their organization as a challenge, or major challenge); there are still several reasons why security groups are not yet excelling at a disciplined marketing approach.
But CISOs must focus on marketing security up, across, and down. A value gap exists in which security groups are unable to communicate and market their benefits, updates, and contributions to the enterprise and the value of engaging security teams. To close this value gap, information security must be marketed to three distinct levels within the organization, tapping a different approach for each constituent.