Security Marketing and Sales

Last week's post was a bit of a downer; it lays out an important but bummer truth for security people: your goals will never be a top priority for your organization. I also describe the best way I've seen to succeed within these constraints: push people to standard, shared service solutions and invest your effort toward protecting those solutions.

On its face, this strategy seems to be intuitive to most veteran security leaders. I've even heard from industry friends respond, "Well, duh, Dylan. Did you just now figure this out?" with a wry smile.

I've seen plenty of people in security take different approaches. Further, establishing this core approach is foundational to further (and more novel) strategies that build on it. Today, I explore strategies to explain the value of security. This will be a key pre-requisite in credibly pushing your organization toward standard solutions.

Luckily, there's already best practices in this space: educating people about value at scale is called Marketing and educating them about value individually is called Sales.

We're gonna steal their ideas today.

Nic Cage will help us

Core Strategy

Step 1: Understand your Audience

This is such ingrained principle that Marketing experts forget that it sometimes needs to be said: if you want to persuade someone that what you have is valuable, you first must figure out what's important to them.

Good marketing teams spend a lot of time researching the perspectives and values of their intended audiences. Tom Burrell in the 80s and Subaru in the 90s are frequently-cited examples of great delivery on this approach, and modern marketing thought leaders are refining it. In many ways, the data-driven marketing trend of the last 10 years is its natural evolution: more knowledge about someone allows you to tailor your ads to them, and thus the performance of each impression.

Finding out what's important to people inside an organization is substantially easier than on the open market. Your intended audience is often small enough to allow you to ask them individually, and you can often substitute leader perspectives for entire teams. You can often get organizational and team priorities from periodic staff meetings, and often learn just as much about a leader's goals from omitted topics as what they do discuss.

Step 2: Connect with your audience's goals

Once you know what someone cares about, the next step is explaining how you help them achieve it. For security, this is often about loss avoidance: how your accomplishments reduce the chance that their goals will fail because of an incident.

Sometimes, you can even make a case that good security directly helps them with their goals. The most frequent example is usually in establishing trust with external customers: if they are worried about whether your organization will protect them, they will be less likely to buy. Good security (and commensurate customer-facing security marketing) can meaningfully improve revenues and margins for some products and markets.

When possible, show examples of how past and current security efforts support your audience's goals. This is easier one-on-one, but is common in customer-facing marketing too.

Step 3: Call to Action

Once you've established trust and credibility with your audience, you need something from them. For most of them, that's the whole point, right? Even if you don't think you need anything specific from the audience, ask for something anyway. Every time someone does something you ask, it helps build a pattern and mindset within them, that "I'm a person who helps security." At scale, this can be a powerful cultural force that can make it much easier for you to get things done.

A Call to Action (CTA) is a marketing term for a button on a webpage that starts the process you want them to follow. CTAs work great; many marketing firms have a rule to have at least one CTA on each webpage. CTAs also help lower the barrier for people to take the action you want.

Note: CTAs are most useful in employee-facing communications. There are restrictions in an audit relationship that removes most value from a CTA and in customer-facing security messaging, the sales or marketing rep will manage the overall customer experience, so let them make the CTA.

Execution

Delivering on this three-step approach differs slightly for 1-1 or small-group dynamics (Sales) than it does for broad messaging (Marketing).

Marketing

Remember your role: you are not a cop; that is the path toward failure and frustration. Security is not anybody's top priority, so to improve it at your organization, you need to meet people where they're at and help make their next best step as easy as possible.

It can be helpful to think of all security outreach as marketing: it persuades people to do what you want. Examples include:

  • Policy
  • Education and Awareness campaigns
  • New Hire handouts
  • Reference Architectures
  • Training
  • Presentations
  • Security Intake pages
  • Organizational procedures

With all marketing, you balance concision with helpfulness. On one hand, it needs to be complete enough to be meaningful. On the other, every additional word increases the chance that you lose someone. Good marketers know that the best way to improve the stickiness of the message segment by audience. This allows them to tailor their message to exactly and only what each market segment wants and needs to hear.

To deliver on this strategy, it can be helpful to write a little charter for each piece of marketing, consisting of:

  • The Chosen Audience. Examples:

    • Developers
    • IT builders
    • New hires
    • People managers
    • Auditors
    • Customers

  • Media/Presentation style. Everybody learns differently. If a message is important for many people to understand, consider delivering it in different ways:

    • "Sales Slick" style: lots of white space, color, and pictures. This works best for the most people, and should be your standby for diverse groups such as new employees and distracted executives.
    • Presentation style: The "video" version of the Sales Slick, the same design approach should apply.
    • "Policy" style: sometimes you just have a lot to say, and the words you use are important. Lawyers, auditors, and perfectionist IT engineers usually eat this up.
    • "Demo" style: Demonstrating what you want people to do using a concrete example can make it real in ways a policy never can. Recorded or live.
    • Q&A style: Usually best paired with a live presentation or demo. Encouraging people to ask questions about can really increase understanding and buy-in. Even better, it often identifies flaws so you can improve.

  • The main message.

    • "Summarize for customers how our security is strong so they should trust us."
    • "Explain remote work expectations to work-from-home employees."
    • "explain to the contract review team what kinds of clauses are unacceptable"
    • "Explain to developers why they should pay attention to SAST"
    • "Explain to developers why good CI/CD governance helps average release quality and fewer security bugs."
    • "Explain to workers how and why to report a phishing attempt."

  • Bonus: What does success look like?

    • "More assets in the CMDB will have accurate metadata."
    • "More servers will be patched before the vulnerability scans start."
    • "Fewer lost deals where our security was a factor"
    • "Fewer production releases introduce new application vulnerabilities"
    • "More people report phishing attempts"
    • "The CEO clicks fewer bad links"

Connecting with your audience

Not every piece of marketing material you release should fully connect back to organizational goals. Remember, you're going for concision, too: don't make them scroll past some copypasta about Leadership Principles if they're just looking for the password complexity rules.

Good marketers have the same problem, and solve it with consistent reminders, visual cues, and organization. You can too.

Danny Trejo thinks you can do it

You may want to enlist help from marketing professionals; there's an art to this. Here are some easy thoughts to get you started:

  • Have a security website for each major audience segment, and put every segment-appropriate piece of marketing on it.
  • Create a security logo and tagline that you apply to all marketing materials. This should remind people of why security helps deliver your organization's goals. Bonus: link your logo to an appropriate security webpage.
  • Each website should cover the major ideas of security: why it's important to that audience, what they need to know about it, and how they can find more.
  • Make your websites organized and searchable. Use menus and breadcrumbs to help people see how the content in front of them fits into the overall picture.
  • Use CTAs. Almost all content (especially on the worker-facing website) encourages the reader to do something. If someone is reading the content, they are likely in the situation. It's so easy to put a link at the end of the page to do the thing you want. The other hidden benefit of a CTA: it can expose other practical barriers to success: if it's hard to add one because there's no easy way for them to follow your advice, that's a bigger problem.

Sales

Step 1: Audience

I've noticed that effective leaders often automatically assess the goals of everyone they talk to; many have developed the ability to have a map in the back of their head of what key partners want. Whether this is automatic or a practiced skill for you, I recommend writing it down. It's easy, it keeps you organized, and helps free you to focus on other topics. "Writing down useful information about people you're selling to" is such a universal capability that it's been commoditized to a product category, CRM.

Note : Most CRMs are overbuilt for the purposes we'll address today; I suggest you just use a pen.

Further Note : this is sensitive information; and awkward conversations may occur if those people see your notes about them. If there is not a strong expectation of privacy in your organization, you may want to store these notes outside your organization's control: maybe in your desk drawer or on a personal phone.

For some, information outside security's control may sound like heresy. However, it's not the only valid use-case. If these examples don't sound like a real need, realize you may be part of the cultural problem that caused those federal protections to be instituted.

Step 2: Connect

Often questions work best: "What would happen if your customer's data was stolen? "What would happen if their payment was diverted and they didn't notice until too late?" "What would happen if your product blueprints were stolen by a competitor?"

Don't be afraid to meet them in their hindbrain: emotions are important in making decisions. If your questions provoke fear or passion or pride, let them run with it. Remember: you are a partner, here to help. Together you will face and address their problems.

Telling them what to do or think usually isn't as effective as helping them discover the conclusions that you've also arrived at. Your ultimate goal is to build trust and influence with them. Paradoxically, the best way to do that is to listen.

Step 3: CTA

You have the answers. You know you do. You now need to show them how your past and future priorities deliver what they want.

Be like the Maddest of Men and sell with confidence

One past example and two current/future examples are a good starting place; you should be able to cover all three in 1 minute. You have three goals in this stage:

  1. Get them excited about what you're doing
  2. Leave them wanting more
  3. Give them an opportunity to help

It's very tempting for some to overdo it in this stage: you've done a lot of things and want to do a lot more. But sharing too many examples and details can overwhelm. If you tell them more than they want to know, you indicate that it wasn't about them at all, and risk damaging the trust and influence you're trying to build. If they ask for more, that's great, that's an indication that you've satisfied Goal #1. Let them drive the conversation and pull it out of you (Goal #2).

Last, one of your current/future examples should contain a challenge that they can help with. This could be a small request: maybe presenting at their next staff meeting (more marketing!) or more responsiveness from her team on getting patches done on time. It could also be a bigger request, such as support for an upcoming capital investment.

Final Thoughts

This may seem unnecessarily complicated, but consider: is it possible that the fundamental principles of industries that persuade people may have value for you in your mission to persuade people? Maybe?

Do not get overwhelmed: it's not possible to "achieve" excellence in communications – it's a continual journey; there's always more opportunity to improve. As with everything, the key to meaningful value is to start solid and improve every week.

Once again,

Danny still thinks you can do it

Further Reading

Storybrand - a great approach toward building effective brands and marketing strategies. Recommended by marketing professionals everywhere.

Never Split the Difference - a book that changed the way many in Sales approach their profession. You can’t go wrong with this one.