Selling InfoSec Differently

This week, ppfosec turns 1 year old! I am so grateful that you are giving me some of your time every week. The best experiences for me were the DMs you sent me every Wednesday telling me how I’ve helped you.

Since I’m on vacation for the next few weeks, I will drift from the usual research-heavy newsletter format. This week, I will give you some insights into what I learned from one year of blogging and how this changed my current vision of information security in the enterprise.

The core idea I’ve grown to embrace is influence. Yes, as in "influencers", as tongue-in-cheek as it seems. It's easy to think of "influence" as "showing off your abs to persuade people to buy your shoe brand". This is the shallow and manipulative marketing we've come to groan about. But turns out information security has much to learn from influence skills.

In a nutshell: information security is expensive, inconvenient, and hard. Fear-mongering dulls itself over time. If you are a security representative in your organization, whether full-time or more likely part-time, influence, as a means of connection, will get you farther.

Start with the why

I read as much about marketing this year as I read technology news. I’d go as far as to say that the most significant benefit I got from blogging was the digital marketing skills I acquired. One cannot talk about marketing without bringing in branding.

I used to hate the very idea of branding. I've shunned Apple for a decade because I felt the brand was more style than substance, for example. But then I fell into a digital marketing rabbit hole that lead me to the now-famous Simon Sinek TED talk: "People don't buy what you do they buy why you do it". A good brand expresses these beliefs and purposes.

So, why information security? Nobody builds software for the sake of security. That would be foolish. Why should developers and IT professionals bother? The marketing way is to remind people about attacks. And yes, the threat is real. Cybercriminals are targeting you. But the problem with that approach is the "why"... Which core belief are we inspiring people with? As a writer, I must educate. I feel I would act manipulative if I created a "following" of fearful individuals.

I wrote about the alarming rate of burnout in our field. Based on my experience, I believe the main culprit is the clash between business imperatives and our view of "how things should be". Stress shows how much we fail to influence.

This is why I want to re-frame my approach, both as a creator and a professional, as a force of optimism. Optimism is misunderstood. People equate it with "being positive". Optimists believe action can bring change.

Optimism's approach to information security is bringing clarity to the actual threats and enhancing the positive externalities of secure behaviours. Information security, both as an individual and a business, usually correlates with doing the right thing and doing things right. It becomes a question of ethics and integrity. Suddenly, security strikes as attractive.

Security as a connective tissue

Over the past year, I have tweaked the newsletter more often than I wished. Thanks for sticking with me! I always meant to build my online presence around sharing my passion and knowledge. That said, the captivating technology news (generative AI going mainstream, the crypto bubble, TikTok bans, mass layoffs) swept me over for many months. This drift shouldn't surprise you.

Security is horizontal. By that, I mean it permeates every part of an organization's technology systems. We are hard-wired to care about every little detail. When we "connect the dots" between various functions (the network team with the data team, for instance), we glue the organization together.

Being everywhere, and being curious about everything drives our attractiveness further. I believe so much in that principle that whenever people seek advice from me on LinkedIn about cybersecurity, I always bring up the opportunity to touch everything as a selling point!

For a new type of feeling

I keep asking myself why do I do this; and why should you care? I was in rock bands for a while. I was part of the school's theatre troops all the way to university. I studied to become a fiction writer. Maybe my psyche's broken and I crave the attention, I don't know.

What I do know is how it feels to consume a piece of content that gives you the feels. And I guess this is my goal: to evoke the same feelings of amazement in you through my writing.

The best feedback I've had this year as a content creator was about one post I made on LinkedIn where I shared my passion for MidJourney's AI images. A coworker came to my desk and flat-out told me I had awakened something in him. How amazing is that?

All this to say, this knowledge I share (and the jokes) is a means to make you feel some uplift.

Why can't our corporate security awareness training work the same?

Thus we come back to influence. I keep feeling "not getting hacked" fails us as a value proposition. Look at how Cisco dealt with its 2022 security breach. Their security team is so solid that they managed to turn the incident into an educational blog post! Talk about making lemonade. Cisco realized breaches are part of the infinite game that is business. That's a type of organization I would want to follow.

All this to say, if you want to get things moving fast, sure, go ahead with the fear marketing. But if you want to build for infinity and beyond, you better start adopting an optimist leadership mindset.

And that starts with your why.