|
 |
|
|||
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
Risk management is not the only business principle associated with IT security. Marketing is another that security professionals would do well to take advantage of. Indeed, the effectiveness of a comprehensive security program/strategy (or even an individual project) is dependent on the degree to which key enterprise constituencies understand it, embrace it, and invest in it. We believe traditional marketing practices are essential to achieving such "buy in" and to relating security to the enterprise's business success. Specifically, target audiences should be identified ( executives, IT managers, end users) and individually analyzed, to support the creation and delivery of customized messages. META expects only ten percent of organizations to formalize their efforts to market security during the next two years, electing rather to ride the wave of "interest" generated by high-profile security events. However, this will inevitably change as IT security programs mature and stabilize, as the pattern of "attack, recover, attack, recover" becomes an uneasy status quo.
Other members of the central security group must be trained, because marketing will become a team effort and executing it transparently (to the constituents) will arise as a secondary goal. Most important, however, is the need to tune the approach for each constituency. For example, the focus for end users should be awareness; the focus for IT managers should be facilitating security as a service for infrastructure development and operations. And the focus for executives should be business generation and preservation. Identifying and analyzing target audiences. By now, the target audiences should be apparent. Security marketing should be directed upward to business executives, laterally to IT managers, and outward to end users; these are the three constituencies that influence security effectiveness. We recommend conducting a strength, weakness, opportunity, and threat (SWOT) analysis for each of these audiences to gain a better understanding of how to influence them.
Creating messages. Message creation is part art and part common sense. The art is in mapping what the IT security team considers necessary and appropriate to what the constituents perceive they need. The common-sense part is to create the core messages around themes that are important to each audience. For executives, themes include revenue, profit, and risk. For IT managers, enabling faster decisions, reducing complexity, increasing transparency, and improving availability are all good focal points. And end users understand concepts such as job protection, organization protection, and team membership. Packaging and communicating. Three primary components must be addressed in each plan: media, style, and schedule. Executive. Succinct presentation or papers (but not memos) are best, though media-less one-on-one sessions will also be appropriate for some executives. The style should be professional and intellectual (never threatening), and the schedule should not be less than quarterly (ideally monthly). IT manager. Rely on existing communication vehicles, and the schedule should not be less than monthly. Face-to-face meetings are best, and the style should be informative, collegial, and receptive. End user. Media options are numerous, including video/live presentations, policy booklets, posters, and toys. The style can include elements of seriousness, but a mixture of concern and fun will typically be more effective. Annual updates and new hire programs should be augmented with more frequent (monthly) awareness events. First published in October 2001 [an error occurred while processing this directive]
 [an error occurred while processing this directive] |
|
[an error occurred while processing this directive]
|
|
|
|
|||||||||||||||||||||||||||
