Request Demo

Integrated Risk Management

Marketing Your Cyber Program And Stay Secure


It is often said, “if you don’t want something noticed, don’t talk about it”. This is true of a bad GPA, a stain on a carpet, or a project you might have missed a deadline for. Many security leaders see their security programs in this way too - talking about your cyber program is an unnecessary risk. It draws attention to your organization both internally and externally - talking about the strength of your security program to executive management can make an inevitable attack all the more devastating, and using your security program as a marketing asset was thought to draw a target on your back.

When you think about information security prior to digitization, continuous compliance was nigh impossible let alone necessary. Information was locked in physical filing cabinets with a finite number of keys, facilities were monitored by a human who would recognize strangers, and everything was in-person. Today, filing cabinets are in the cloud (on servers you’ve probably never seen if they’re even private), keys have become passwords, and teams are scattered across the globe.

Obviously, the benefits of digitization far outweigh the risks: great access to more talent, ability to store and access more data, and overall deliver greater experiences to customers. For security teams, though, a change in approach for what risk management and compliance mean is necessary.

What we are seeing now, as well, is a shift in the mindset of consumers (both business and individuals). They are becoming more technology aware - demanding to know where their information is stored and how it’s used. This combined with the tools enabling teams to practice continuous compliance, empowers a security team to be proud of their efforts and use it as a selling point for the company

How to talk about your cyber program

Drawing upon an analysis of the two largest cloud providers: Microsoft and AWS, we’ve seen trends emerge for best practices on how to talk about your cyber program and we'll dispel some myths about marketing your security program

Say what not how

Many security professionals see talking about their programs as a means of giving away their process and allowing malicious actors insight into how the security team operates. Not so - effective marketing is done through discussing outcomes, not process. As a consumer, you want to know what a product will do for you, not how it does it. With security as a selling point, you want to educate your marketing team on the benefits of your security program: from a high-level, what are you doing that is better or different than your competitors?

In this case, examples work best. See AWS discuss their controls for their data center security here.

Talk about the strategy, not the tactics

The devil is in the details, the more granular you get the easier it is for a criminal to spot a potential opening. Collaborate with your marketing team to shape talking points that illustrate your robust security program without discussing specifics. Again, it’s about the what not the how.

It is possible

As we’ve seen with digitization, turning your security program into a marketing asset can outweigh the risks. With a more educated customer base simply saying “we’re secure” is no longer sufficient. The first step is using continuous compliance to ensure your environments are as secure as possible and you have the ability to view their security posture in a single-pane-of-glass. Next, collaborate with your marketing team to craft your value propositions and hone the messaging around the security program. As the digital revolution continues, security will increasingly become a differentiator. We are already seeing it with the internet of things. Be prepared and start shifting towards continuous compliance today.

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...