I just read an article in Fast Company Magazine that made me think. The article had nothing to do with Information Security, IT or computers. It had to do with marketing (which I dislike immensely). Yet marketing can make all the difference in a security program. (See my post about Selling Security). How we package and market our program can make or break whether or not we get the funding and approval to do what we have deemed as necessary to protect our environment. Do our policy recommendations get accepted? Do we get to implement this technology or this program that will improve our security posture? How we market and sell it may make all the difference.
In the FC article they talked about making your product “stick”. What is it that you do the makes your product stand out from the crowd? What makes people talk about your often sub-par product? (I'm not suggesting that we try to sell sub-par security) We have to think about our image to build and maintain credibility within the organization. We have to ensure that the security group is viewed positively within by management as well as by the end user. We have to adopt a positive posture of security and do all we can to eliminate the negative attitudes that WE have created over time. Our attitude towards end users, management, the company culture and our jobs has to be positive if we are to develop a positive security mindset within the company.
Yesterday I attended the maiden voyage of Mike Rothman's Pragmatic CSO Bootcamp. It was a day well spent. We talked about this very thing on and off through out the day. It seems that most every step in his 12 Step Security Master program came back to this in some form or fashion. In security it is all about image and credibility. If we are viewed as the group that wants to make it hard for the users to do their job or as the guys who don't want us to have any “fun” then we are developing a negative image. That image will spread throughout the entire organization if we are not careful and it may well come back to haunt us when it comes time to secure funding for projects.
At my previous job the marketing group branded the IT department as the “Red Tape” department (now you know why I don't like marketing). That came from the fact that every time they wanted to do something we put the brakes on them. Often we did it in ways that didn't help our image. They would say that they wanted to do such and such and we said NO!!!! and then walked off. They would ask to implement this technology and we would make them jump through hoops to justify it. Sometimes just because we could. Pretty sad, huh? I have to admit that I participated in that. Sometimes out of a spirit of being ornery and in a position of “control”, sometimes out of a spirit of joking around (I'd come back later and tell them it was approved just to irritate them) and sometimes because it was just a bad idea that affected security. After they branded us the “Red Tape” department it made me stop and think about our image in the company. I didn't like being the bad guy. If it is necessary to be the bad guy to remain secure that is one thing, but to be the bad guy because of an attitude is something else. So I decided to change that attitude. Not because I wanted to be liked but because I knew that a negative attitude affected the whole program and the company.
So what do you do to make your IS program “stick”? What do you do to make it stand out and be seen as a way to enable secure business practices? What things are going on that encourages a negative or positive attitude within your group, department and company? How can you make changes to improve the image of security within your company? It doesn't matter whether you are the CSO or your are the new guy who is stuck with the most boring security job in the company (log review) you can start with changing your attitude and how you react or respond to things that happen. It may not be easy or fun (after all making fun of dumb things that users do can be very funny at times) but it WILL make a difference over time.