Marketing security: True stories strengthen numbers for making point

How do security pros typically make the case for more, better or stronger security? Beyond scaring crowds at the beginning of presentations, how do we convince senior management that we need more resources than last year? Answer: Numbers – big numbers!

We still use quite a bit of fear uncertainty & doubt (FUD) as well, but metrics, dashboards and score cards are hot items right now. Yes, there are good reasons for using security metrics and big numbers.

Here are a few recent headline examples:

Computer viruses, trojans, malware, Ransomware, botnets: Web attacks are soaring – “In its quarterly “Threats Report,” Intel subsidiary McAfee said that it had found more than 8 million new kinds of malware in the second quarter, up 23% from the first quarter. There are now more than 90 million unique strands of malware in the wild, the security company said.”

Cyber Attacks On Feds Soar 680% In 6 Years: GAO – “Reported cybersecurity incidents at federal agencies have risen 680 percent in six years, the Government Accountability Organization testified today — and note that key word “reported,” which means that’s just the ones we know about.”

Global cyber-security tab hits $10 billion – “Cyber-attacks on U.S. computer networks rose 17-fold from 2009 to 2011, according to data cited by Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, at a July conference.”

Budget cuts and the next Pearl Harbor – “Billions at stake”

But is this the most effective strategy? There is no doubt that good measurements are essential in technology, security and all areas of business. We need to make sure that measurements that we are using are relevant and accurate.  We need to compare where we were to where we are and where we are going. We need to ensure that we are aware of new trends and innovative approaches. 

Find Relevant Stories

 I found it interesting that both political parties featured speakers that told stories at their 2012 conventions. Sure there were numbers describing the federal deficit, unemployment rate, number of jobs created and more, but most speakers connected the numbers to real-life situations and personal stories. 

I like this excerpt from the CNN article about the candidates’ wives:

“We Americans believe that a wife can tell us about her husband in ways we can’t discern from ads, stump speeches, or even debates: about his personal morality, his character, how he reacts to crisis — in short, who he really is.”

I think the same is true of making the case for cybersecurity. Sure, we need to measure progress with good numbers, but add a story or two to make the situation real to the audience you are speaking to. I like the slideshow examples provided by this Bloomberg article on Extortion in the Digital Age. Here’s an excerpt from their 3^rd example:

Holding S.F.’s Network Hostage

“A San Francisco city employee was so desperate to save his job as a network technician that he hijacked the city’s computers and held them hostage to protest his reassignment in 2008. Terry Childs was being transferred because of conflicts with management when he locked out his supervisors by withholding network passwords, prosecutors said. Childs’s move was described by prosecutors as a “power play” to turn the city’s network into a “pawn” in his feud with management. He gave up his fight after a high-profile intervention: Then-Mayor Gavin Newsom paid a visit to Childs in jail and left with the passwords. Childs was sentenced to four years in prison.”

Notice how real names, with real people about real situations with specific details builds a very intriguing case?

I think security pros can learn from these stories – and be more effective if we can learn to tell the stories in ways that impact the audience we are talking to.

What are your thoughts on this topic?

Any good cyber stories to share?