How to market IT security to gain influence and secure budget

What defines IT marketing? It’s the business activity of presenting IT products, services, and capabilities to constituents in a way that makes them eager to fund and utilize. While many security groups focus their communication activities on end user activity awareness, they have stopped short of planning for the fundamental activity of presenting their products, services, and capabilities to their key stakeholders. There are many reasons given for missing this critical step, such as attitudes of security professionals, lack of business acumen to develop effective marketing and communications strategies, and the ever present too-much-work reason. But as security decision-makers report higher into the organization and take on more responsibility, it will be more essential than ever to have an effective marketing and advocacy plan in place.

Security marketing should be much more than just end user security awareness. Why? In order to evolve the security organization from a reactive silo of technical expertise, to a proactive business partner and enabler, stakeholders will need to be reeducated about the role and value of security, and CISOs will need to establish their own personal credibility as a C-level executive who deserves a say in strategic decision-making. Without effective internal marketing, security efforts will go unrecognized and critical initiatives will fail. For example, one security manager I recently spoke with presented an organizational-level security strategy to the CIO in the hopes of obtaining further resources and funding. But the CIO responded: “Don’t you just do backups and viruses? Why do you need more resources?” This CIO actually had no idea that the security team was responsible for security risk management, project consulting and advisory, security strategy, and other nontechnical strategic security activities.

[ For an in-depth look at applying marketing principles to all types of security, see Secrets of their success from CSO’s Image Issue ]

At Forrester, we’ve heard from many executives that increasing the visibility and influence of the security team is a key area of importance (51% of security decision-makers see lack of visibility and influence within their organization as a challenge, or major challenge); there are still several reasons why security groups are not yet excelling at a disciplined marketing approach.

But CISOs must focus on marketing security up, across, and down. A value gap exists in which security groups are unable to communicate and market their benefits, updates, and contributions to the enterprise and the value of engaging security teams. To close this value gap, information security must be marketed to three distinct levels within the organization, tapping a different approach for each constituent.

So how can CISOs and security teams overcome these boundaries, to start running security like a business that incorporates an effective marketing strategy? After observing how organizations approach the issue of security communications, Forrester has developed four steps to help craft a plan that clearly identifies who to communicate with, and how to communicate with them:

Step 1: Define Key Stakeholders. Security teams should think of every major business function or role as an audience, including the IT function. To influence effectively, it’s important to understand who you’re trying to influence and what their communications needs are. If you aren’t certain of stakeholder needs, ask them.

Step 2: Define key messages for each stakeholder group. Once stakeholders are identified, it’s time to define how the message will be delivered. Since different audiences need different messages, delivery mechanisms should be optimized for maximum comprehension. And since you can only communicate a certain number of messages at once, decide what they are and keep them concise. A great example of this is end user awareness campaigns--steer away from communicating your entire security policy, but focus on the behaviors that pose risks and require change, and develop your messages accordingly.

Step 3: Determine key communications campaigns. With messages determined, it’s time to decide how to deliver them. Depending on the audience and their needs, one or more campaigns for delivery might be necessary. While there are many effective campaign communication delivery methods, such as brochures, emails, fact sheets, and SMS, among others, a thorough understanding of key audience needs will go a long way in selecting the best method.

Step 4: Executive security communications plans. This is perhaps the most important step, and can make the difference between a well implemented plan that focuses on the audience and a mediocre plan that focuses on the needs of the security group and its technical view of the organization. While one or more staff members can implement separate campaigns, it is essential for one person to oversee the general direction of the plan. This will guarantee that key messages are adhered to, as well as achieving a timely delivery of the campaigns.

CISOs need to continue to drive communications personally. Leading security executives make communicating business value a day-to-day practice. The individuals position security’s value within the organization through a concentrated effort to identify the right stakeholders, to meet with them on a frequent basis, and to find ways to promote security’s activities to business value. It’s only through effective communications and relationship-building that you will promote your security group and get the buy-in, funding, and support that you need.

However, it’s important to remember that creating, executing, and seeing the results of marketing efforts will take time. The business, and even other IT groups, has thought of security as an enforcer for years; changing this perception won’t happen overnight.

Jinan Budge is Senior Analyst and Advisor at Forrester Research, serving security and risk professionals.