How to incorporate security into your branding strategy?

Everybody claims their product is secure. Then why are there so many data breaches? Instead of promising the impossible -zero incidents!- companies should showcase their expertise and commitment to integrity.

How to incorporate security into your branding strategy?

The most unexpected benefit I got from this newsletter is the content marketing skills I've built along the way. Speaking the "brand" language brought me closer to my employer's marketing team. In the past year, the brand teams involved me in more initiatives than the 4 previous combined.

Every company should showcase their commitment to security. If you cannot demonstrate your trustworthiness in today's markets, you don't belong. It's not enough to just "be secure" (more on that later), you must be able to reassure your customers, partners, users, etc.

Being featured in marketing content nevertheless evoked mixed feelings: what am I telling the world? An inherent conflict remains: a single person can't guarantee the security of a product, let alone a company!

If every company was as great at security as they claim in their material, we wouldn't see data breaches in the news every week.

So, is that it? Let's get cynical and call this whole thing a pantomime! That's not how we roll at ppfosec.

This week, we look at how to put forward an inspiring security marketing message while not promising the impossible.


"We're secure": what does this mean?

What I intend when I say "secure"

Security decision makers are competent and have sufficient accurate information to make risk-based decisions. Sufficient funding allow security management to acheive their objectives. Security teams have relevant expertise and access to technical and administrative resources to attain a level of protection in line with the organization's objectives.

What people want to hear

Zero breaches, guaranteed.

See what I mean? One is an obligation of means, whereas the second is an obligation of results... an impossible one. I explained the perverse effects of this approach in Why the media should report on security breaches:

📣
Requiring executives and politicians to get fired when they disclose a breach creates "counter incentives". A security incident or a breach is not in itself a failureContext matters. We must scrutinize the process that led to a breach, not the end result.

We, and especially the security community, created a perception that any security breach is shameful.

As a security professional who is going public about claiming a product is "secure", this is a danger. I'm not fooling myself. If a breach happens tomorrow, my personal brand is broken, no matter what I say.

I compare information systems to cities due to their sheer complexity, interconnectedness and chaos.

We can't guarantee the absence of breaches like your mayor can't guarantee the absence of fire! What public administrators can do, however, is :

  • Fund a fire department that engages in prevention, detection and incident response with competent staff.
  • Build infrastructure to facilitate response (fire hydrants).
  • Implement construction codes and inspections. Mandate fire evacuation drills in public buildings.

Sounds a lot like information security intervention! Technical, administrative and organizational controls to minimize the occurrence and impact of an adverse event.

I wish this is what the public would seek out of us.


The best cybersecurity marketing is showing your expertise

Yes, I showed my face in a few LinkedIn posts. But the best marketing we've had was winning a big CTF, winning an award for identity and access management practices, and writing technical blogs about these events.

Take Palo Alto Network's Unit 42 blog. Security researchers share with the community some of the most well-researched content about current threats.

Showcasing your employees' competence builds trust.

In May 2022, Cisco suffered a security breach. A few weeks afterwards, the incident response team published a lengthy post about how they managed the incident. They didn't attempt to hide or to play the victim. They owned the problem.

But there's a big team!

Yes. This is why you have to operate according to your scale. Celebrate publicly your employee's security deeds!

But won't that reveal too much about our internal security?

This is a claim I often see. Threat actors could "discover" details about our security posture as part of this content. Given the overwhelming majority of breaches happen with credential attacks, I wouldn't necessarily be worried about attackers knowing you use the latest security products.


Have you ever been involved in product marketing? Tell us more in the comments!


🥳
Thank you for reading!

If you like my content, subscribe to the newsletter with the form below.

Cheers,
Pierre-Paul