Request Demo

Integrated Risk Management

Marketing Your Cyber Program And Stay Secure


It is often said, “if you don’t want something noticed, don’t talk about it”. This is true of a bad GPA, a stain on a carpet, or a project you might have missed a deadline for. Many security leaders see their security programs in this way too - talking about your cyber program is an unnecessary risk. It draws attention to your organization both internally and externally - talking about the strength of your security program to executive management can make an inevitable attack all the more devastating, and using your security program as a marketing asset was thought to draw a target on your back.

When you think about information security prior to digitization, continuous compliance was nigh impossible let alone necessary. Information was locked in physical filing cabinets with a finite number of keys, facilities were monitored by a human who would recognize strangers, and everything was in-person. Today, filing cabinets are in the cloud (on servers you’ve probably never seen if they’re even private), keys have become passwords, and teams are scattered across the globe.

Obviously, the benefits of digitization far outweigh the risks: great access to more talent, ability to store and access more data, and overall deliver greater experiences to customers. For security teams, though, a change in approach for what risk management and compliance mean is necessary.

What we are seeing now, as well, is a shift in the mindset of consumers (both business and individuals). They are becoming more technology aware - demanding to know where their information is stored and how it’s used. This combined with the tools enabling teams to practice continuous compliance, empowers a security team to be proud of their efforts and use it as a selling point for the company

How to talk about your cyber program

Drawing upon an analysis of the two largest cloud providers: Microsoft and AWS, we’ve seen trends emerge for best practices on how to talk about your cyber program and we'll dispel some myths about marketing your security program

Say what not how

Many security professionals see talking about their programs as a means of giving away their process and allowing malicious actors insight into how the security team operates. Not so - effective marketing is done through discussing outcomes, not process. As a consumer, you want to know what a product will do for you, not how it does it. With security as a selling point, you want to educate your marketing team on the benefits of your security program: from a high-level, what are you doing that is better or different than your competitors?

In this case, examples work best. See AWS discuss their controls for their data center security here.

Talk about the strategy, not the tactics

The devil is in the details, the more granular you get the easier it is for a criminal to spot a potential opening. Collaborate with your marketing team to shape talking points that illustrate your robust security program without discussing specifics. Again, it’s about the what not the how.

It is possible

As we’ve seen with digitization, turning your security program into a marketing asset can outweigh the risks. With a more educated customer base simply saying “we’re secure” is no longer sufficient. The first step is using continuous compliance to ensure your environments are as secure as possible and you have the ability to view their security posture in a single-pane-of-glass. Next, collaborate with your marketing team to craft your value propositions and hone the messaging around the security program. As the digital revolution continues, security will increasingly become a differentiator. We are already seeing it with the internet of things. Be prepared and start shifting towards continuous compliance today.

You may also like

The Guide To A CEOs First ...
on May 16, 2019

One of the greatest challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that goes on ...

Jerry Layden
What The NIST Privacy Framework ...
on May 14, 2019

On Wednesday May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on May 9, 2019

With high profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front row seat to the impact that cybersecurity can have on ...

Jerry Layden
The NIST Privacy Framework Is More ...
on May 17, 2019

In recent weeks, the National Institute of Standards and Technology released their latest draft of the new privacy framework. The forthcoming privacy framework will join NIST’s ...

The Road To An Internet Of Things ...
on May 2, 2019

As we’ve seen before, one of the greatest cybersecurity threats facing both consumer- and enterprise-focused organizations is the rise of connected devices - the internet of ...

George Wrenn
Is The NIST CSF Replacing HIPAA In ...
on April 30, 2019

In the recently released Cynergistek report on the state of healthcare sector cybersecurity framework adoption, I noticed an interesting trend - the rise in NIST CSF adoption and ...

George Wrenn