Organizational Influence via Security Team Branding

Sunday, December 09, 2012

Steven Fox, CISSP, QSA


Hacker Halted 2012 was full of personalities; executives, technologists, students and security enthusiasts – each one with stories that fueled conversations and debate.  Technical and business erudition dominated the speaker sessions and the hacking competitions at the heart of this annual conference.  While comprised of distinct subcultures, a sense of community bonded the attendees.

This demonstrates the effect of a strong brand.

Branding impacts our ability to secure the businesses we serve.  You are likely pondering, “What possible relevance does branding have to information security?”  “Security” usually conjures thoughts of the policies, procedures, processes and architectures that enable us to mitigate risk.  We tend to apply controls on the network perimeter, data stores and governance to the exclusion of influencing the culture that drives threat-enabling decisions.

What is a brand?  According Leap Frog Consulting, a marketing consulting firm, “a brand is the sum of tangible and intangible values and associations that differentiate it from other available offerings in the market.”  Essential to this definition are the benefits offered to the customer on both a functional and relationship level.  This definition challenges the security team to:

1. Conceive a brand that resonates with their customer’s brand.

2. Use service delivery as a vehicle to promote the brand, making the intangible tangible.

3. Use the implication of the brand to build relationships.

Brand Engineering

Our discussion of branding reflects two promises: the delivery of a positive customer relationship and of value-add services.  Each of these promises can be realized through deliberate team activities and priorities.  However, an understanding of the organization, its strategic and tactical challenges, and its people are required to implement a successful brand strategy.

Once this research is complete, the team is ready to incorporate this organizational and situational awareness into a brand statement.  This reflects that brand’s target market, the associations on which the brand is built, and the market opportunities that the team promises to play a role in pursuing.

Brand components

Target Audience

In order for a brand to reflect emotional and intellectual associations your team can leverage, it must be relevant to those with whom you serve.  A brand that fails to consider a company’s priorities or culture will fail to motivate others.  The security team should honor their customers by focusing the brand on them.

Brand Assets

Brand assets refer to the existing associations that will influence how your brand is perceived.  What do your customers think about the role of information security?  My consulting experience brings to mind two general perceptions:

1. The security team is a company subculture that is hard to understand, but they serve to protect customer assets.

2. The security team is overly cautious, imposing risk controls at the price of lost opportunities.

The first impression is drawn from companies that respect the role played by the security team in advancing the organization despite cultural differences between each business unit.  The brand assets here may include perceptions that the team is insightful, innovative and focused on a risk-based approach to security.

My clients who perceived their security teams as not balancing security against business agility influenced the second impression listed.  The brand assets in this situation are few when compared to its liabilities.  While the team may be perceived as competent, their influence is limited by the impression that they care more about security than competitive responsiveness.

The team should consider what brand associations contribute positively to the image they wish to promote.  This is also an opportunity for teams to forge new perceptions.

Market Opportunities

The success of a business relies on its ability to capitalize on opportunities.  Each business units brings insights and skills to the identification, scoping, and fulfillment of opportunities that further organizational goals.  The formation of teams or collaborations is an effective means by which this occurs.

A medical service provider expanding into new markets was challenged to meet the needs of new patients.  The business need was to increase interpersonal care while lowering the overhead cost associated with these touch points.  These costs included the gathering of patient information, coordination of patient data with dynamic feeds from each patient encounter, and derivation of health intervention tactics.

Collaborating to address this opportunity were information technology, information security, and healthcare delivery professionals.  This combination of expertise produced a plan to implement Electronic Medical Records at all their patient care facilities.

This component brings purpose, action, and promise to the brand statement.

Next week, we will discuss the articulation of the brand through a compelling brand statement.  We will also discuss the implications of brand position for the security team.  Also, stay tuned to @McAfeeBusiness for tips on branding the security function.

Cross-posted from the McAfee Security Connected blog 

Possibly Related Articles:
Security Training
Information Security
Training Information Security Infosec Hacker Halted Conference
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.