RSA conference: Speakers highlight marketing strategies to boost security awareness

Security chief told delegates at RSA conference to use marketing techniques to engage the enterprise with security, and increase funding and headcount

Marketing techniques can be used to encourage employees to adopt responsibility for their security, and to acquire additional funding and headcount from the board, according to a security chief who was speaking at the RSA security conference today.

Lee Parrish, VP and CISO of construction firm Parsons Corporation, explained that he uses marketing principles to improve his organisation's security, double his budget and increase his headcount.

Speaking to delegates at the conference this afternoon, Parrish explained that before implementing marketing strategies, it is important to start with an initial security strategy, including establishing suppliers and costs before beginning the marketing exercise.

"You need to have your potential partners and costs outlined at the outset, because those are the first areas your CEO will question you about," said Parrish.

He explained that just as external marketing teams need to understand their customers, those responsible for security need to understand their internal market (the business and its staff), and how it segments.

Enterprises are divided into business units, and each one can be viewed as a different segment, often with differing risk profiles and security needs.

Parrish said you must glean the same important information from each segment: "You need to know who holds the purse strings, what keeps them up at night, what their risk tolerances are, and how their president or most senior figure is assessed.

"By understanding these things, you can devise the security solution that will best fit them and, more importantly, give them the most incentive to drive its adoption," he said.

Parrish sees most problems occurring at the management level, with team leaders and directors, for example, as they are responsible for frontline business.

"Middle management is where execution takes place, and security issues can often hamper that."

He explained that with IT budgets still restricted owing to the global recession, it's also important to create the demand for security.

"Security is competing with other parts of the business for a dwindling budget, so you need to create that demand and understand which other projects are out there competing for funding."

He explained that a business unit in his company was experiencing a high volume of disallowed downloads, where staff had attempted to run applications taken from the internet, but been prevented by security controls.

The business unit was unaware of the problem, but his analysis of security reports proved there was a software need, of which the business unit itself was unaware.

Finally, he explained that understanding how to market a security need to the board is paramount.

Parrish gave the recent example of his firm spending a large amount of time on helpdesk calls from users demanding support for programmes they had downloaded themselves.

He wanted to prevent employees doing this, but pitched the idea to the board as a way of saving on costs rather than improving security as a main driver.

"We sold it to the board showing how much we'd save on helpdesk efficiencies… oh, and by the way, there's a security benefit too. It got signed off far more easily that way."

Underlining the effectiveness of his internal marketing strategy, Parrish explained that his department had avoided efficiency cuts where others had been less fortunate.

"My budget has doubled thanks to these techniques, and while other departments have been losing people, I've been hiring."