To ensure security programs produce maximum impact and gain support from enterprise stakeholders, cyber leaders should adopt proven marketing methods.

For most organizations, putting great cybersecurity in place requires a massive uphill trek. Many forms of change are required – technology, process, talent, and more. Here, cyber leaders focus inward, working to get capabilities in place and reduce identified risks. But fundamentally, you need externally-driven change too, where other enterprise leaders (and key partners outside of your business) believe in the cyber mission so deeply that they can’t live without it. Since cybersecurity can’t be successful in a vacuum, these external people are necessarily your adopters, your supporters, your financiers, and your potential enemies. If we want to get them “on board” and affect meaningful change for the business and beyond, cybersecurity organizations require a new capability that you won’t find in today’s leading standards and frameworks: cyber marketing.

Simply said, as a cyber leader, you have customers and you’re here to solve their problems. Marketing greatly enables this. Engaging your customer base requires patience, perseverance and empathy. You’re working to build trust with them, as it's essential to your success. This goes well beyond internal communications. Through targeted marketing, you’ll knock down walls that currently prevent you from delivering the best possible cybersecurity. As you build trust, you’ll see the all-too-prevalent “us and them” mentality fade away. In fact, it’s just “us” – you’re in it together.

What Cyber Marketing Does for You

Forget marketing in the typical advertising sense; we’re not living in a Mad Men-esque era, working to subconsciously trick people into wanting things that they don’t need. No, marketing for cybersecurity is genuine and important, and message tailoring is vital. To CEOs and board members, they’ll sit up straight when you talk to them about long-term business health. A CFO wants to improve return on investment. Product development and manufacturing leaders will feel comforted knowing that cyber incidents won’t knock their plans off course. And supply chain and customer service personnel will sleep better knowing they can securely work with third parties in the sprawling, interconnected business ecosystem.

Cyber marketing is highly-concentrated and honed for the purposes of making your ideas for cybersecurity spread amongst your exact target audience. You’re saying, “trust us to help make your lives better.” People want that. A sincere, targeted and empathetic approach will get you there.

Your strategy needs to be expertly-nuanced for the specific people you seek to influence, and your storytelling needs to be persistent, consistent, and incentive-laden. Your job is to earn their trust, attention, and action. Through this form of expert marketing, they’ll deeply desire the value you can deliver to them, and in turn, they’ll feel it’s worth their time and resources to put skin in the game with you. This is how great culture develops. And as Seth Godin says in This is Marketing: “culture beats strategy…so much that culture is strategy.”  Cybersecurity is a “team of teams” sport, and you’ll need a well-tuned marketing capability to get all the right players on the field and in sync.

What cyber marketing is not: blasting blanket messages to the masses. It’s not about computer-based training and “be secure” posters – that serves a different purpose, often focused on end user behaviors. Especially in today’s highly-fragmented and super-niche world, you need to enrapture your most key stakeholders (e.g., board members and c-suite executives) by first understanding them and then making calculated offers. There’s no easy button; it takes hard work.

How to Do It

Just like in traditional marketing, in cyber marketing, ideas that spread, win. You’re working to gain trust, attention and action amongst a small set of important individuals that will cascade to massive progress.

To generate proper returns, cyber marketing must be installed as an enduring capability within the security program. It’s not about a one-time or one-way messaging campaign. It’s bigger and more important than that. Here’s how a cyber marketing capability can materialize and work:

1. Blend atypical talent into your program. We’re getting better as a community at injecting diversity into security efforts. In this case, bringing in professionals with marketing, communications, organizational psychology, or cultural anthropology backgrounds can ignite the spark you need to creatively jumpstart your cyber marketing capability. Have them map and analyze stakeholders across the business ecosystem and devise an initial engagement approach for the smallest viable audience – start with those that really matter. Get them comfortable with “owning” the long-term marketing capability for the program.
2. Seek out and empathize with your unique customers. Once you know who really matters, get to know them. You can work this inside-out or outside-in. The former is simple: meet for coffee (or through another informal way) with your target audience and get them talking. Listen deeply. Understand their pressures, targets, insecurities, and desires. Be human with them; feel what it’s like to be in their shoes and create a sincere connection. To complement this approach, conduct outside-in analysis. Human-centered design approaches and journey mapping are example ways that you can understand your customers. Emulate user experience (UX) design processes and develop a rich understanding of individual customers, keeping the total number of personas under ten. From there, pull back and elevate to connect the dots among customers. What commonalities and intersections are you seeing? This gives you important inputs for tweaking security capability (e.g., more flexibility in the cloud) based on your stakeholder needs and it gives you the fuel for developing nuanced marketing messages regarding the promise you’re offering.
3. Crystalize your idea of “better”. Now that you understand your audience, it’s time to align that with your cyber strategy. You might have a data-centric security philosophy, or a viewpoint on robust security for DevOps. Keep that to yourself – at least the pieces that matter only to you. Your external audience isn’t so interested in that. Instead, your task is to translate the relevant aspects of your strategy into appealing messages that pull in your customer base. You want them gravitating toward you, so establish messages that articulate your promise of a better world, where security is seamlessly infused across the business and everyone is better off for it. Mostly importantly, highlight specific benefits that will uniquely appeal to each of your target audiences, and use their language. Appeal to hearts and minds in a way they’d never expect from a cyber professional.
4. Show up regularly and put in the emotional work. Once you’ve ramped up, you can start to engage and make subtle (indirect) asks. Talk to each customer, sharing tailored stories of your promise for a better, more cyber-secure future. Using their lingo and priorities as a guide, engage them (and their teams) to obtain feedback on your strategy. Bring to life the vision of how everyone is better off and get them excited. As you build relationships, your customers will offer help. Remember, you absolutely need them. Once the bond is mature, and the walls crumble to the ground, you can gently reveal how they can participate in the success (resources, process changes, etc.). Understand: you must earn this right. Your strategy and stories need to map to the value system, hopes, wants, and dreams of your customers.
5. Measure progress. Everything is measurable. Since you’re developing a cyber marketing capability, you’ll want to understand the delta between where you are and where you want to be. Clearly describe your aspirational state. Develop metrics and source measures that tell you how mature your capability is, and most importantly, how well it’s performing in shaping the beliefs and actions of your target audience. Drive towards understanding return on investment (ROI) and be proud in communicating what you’re doing upward.

The human-to-human nature of good cybersecurity isn’t going away anytime soon. Our need for deep connection, empathy and comradery is now more important than ever. It might not seem like it, but your customers are waiting for you; hoping that you’ll deliver something awesome. Something that’ll excite them and instill calmness. To unify, accelerate, and force-multiply your security efforts, investing in great cyber marketing is a strong choice.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.