Request Demo

Integrated Risk Management

Marketing Your Cyber Program And Stay Secure


It is often said, “if you don’t want something noticed, don’t talk about it”. This is true of a bad GPA, a stain on a carpet, or a project you might have missed a deadline for. Many security leaders see their security programs in this way too - talking about your cyber program is an unnecessary risk. It draws attention to your organization both internally and externally - talking about the strength of your security program to executive management can make an inevitable attack all the more devastating, and using your security program as a marketing asset was thought to draw a target on your back.

When you think about information security prior to digitization, continuous compliance was nigh impossible let alone necessary. Information was locked in physical filing cabinets with a finite number of keys, facilities were monitored by a human who would recognize strangers, and everything was in-person. Today, filing cabinets are in the cloud (on servers you’ve probably never seen if they’re even private), keys have become passwords, and teams are scattered across the globe.

Obviously, the benefits of digitization far outweigh the risks: great access to more talent, ability to store and access more data, and overall deliver greater experiences to customers. For security teams, though, a change in approach for what risk management and compliance mean is necessary.

What we are seeing now, as well, is a shift in the mindset of consumers (both business and individuals). They are becoming more technology aware - demanding to know where their information is stored and how it’s used. This combined with the tools enabling teams to practice continuous compliance, empowers a security team to be proud of their efforts and use it as a selling point for the company

How to talk about your cyber program

Drawing upon an analysis of the two largest cloud providers: Microsoft and AWS, we’ve seen trends emerge for best practices on how to talk about your cyber program and we'll dispel some myths about marketing your security program

Say what not how

Many security professionals see talking about their programs as a means of giving away their process and allowing malicious actors insight into how the security team operates. Not so - effective marketing is done through discussing outcomes, not process. As a consumer, you want to know what a product will do for you, not how it does it. With security as a selling point, you want to educate your marketing team on the benefits of your security program: from a high-level, what are you doing that is better or different than your competitors?

In this case, examples work best. See AWS discuss their controls for their data center security here.

Talk about the strategy, not the tactics

The devil is in the details, the more granular you get the easier it is for a criminal to spot a potential opening. Collaborate with your marketing team to shape talking points that illustrate your robust security program without discussing specifics. Again, it’s about the what not the how.

It is possible

As we’ve seen with digitization, turning your security program into a marketing asset can outweigh the risks. With a more educated customer base simply saying “we’re secure” is no longer sufficient. The first step is using continuous compliance to ensure your environments are as secure as possible and you have the ability to view their security posture in a single-pane-of-glass. Next, collaborate with your marketing team to craft your value propositions and hone the messaging around the security program. As the digital revolution continues, security will increasingly become a differentiator. We are already seeing it with the internet of things. Be prepared and start shifting towards continuous compliance today.

You may also like

Risk Management In the Digital Age
on January 15, 2019

The digital risk management function of an integrated risk management approach is the most nebulous facet of IRM. For many mid-level and enterprise CISO’s, their organizations are ...

The Role Of A CISO During ...
on January 10, 2019

A role created in reaction, filled by proactive leaders The role of information security is rooted in information technology, the origin of which was catalyzed by the development ...

What The Winner Of CES' Highest ...
on January 8, 2019

This week, technologists will gather in Las Vegas for what could be considered the hallmark event of the year for hardware: the Consumer Electronics Show (CES). CES can be best ...

Digital Risk Management: A Working ...
on December 20, 2018

Introduction We all live in a rapidly digitizing world - the computing power of your phone in your pocket exceeds the world’s supercomputers just a few decades ago. We have all ...

Risk Quantification Decoded
on December 18, 2018

For security teams, the idea of risk is nothing new - in fact, most security teams work with risk every day. However, the concept of distilling that risk down into numbers, risk ...

Marriott Breach Points To Issue In ...
on December 13, 2018

On Friday, November 30th, Marriott International announced what could be one of the largest data breaches in history. Over 500 million guests’ personal data, ranging from names to ...