Introduction 

This article is written for operational security people. The thesis is that if you understand marketing and how it works, then you can use that knowledge to apply tried and tested marketing techniques in your operational security programs. You can also use it to cut through the industry noise and hype from tools and services vendors, but that’s not the focus of the article.

Each section briefly describes the type of marketing and how it works, along with a few unspoken truths where relevant, the ‘marketing exposed’ part. Because it’s a big topic I have split it into parts, and I will try my hardest and post a new part every few weeks or so.

• Part one covers branding and positioning and messaging.

• Part two covers credibility including testimonials and case studies.

• Part three covers digital and field marketing including communities.

There are other areas like public relations and advertising that I will cover in followup articles if there is demand.

I have only specialized in marketing as a job role for the last two years, and while nothing here is novel, I have never seen an article like this aimed at the security industry. It’s a topic I wish I had known about earlier in my career. Sales and marketing are dirty words with most security people, and given a lot of the ways it's used today, rightly so, but as I have got older I have learned to appreciate a phrase that is useful in life as a whole, ‘you are always selling something’. Whether that is yourself, your opinions, advocating for political views, friends, a service or a product, I have found it to be true. Selling security to people you need to do it is no different. 

Because of my personal career bias, the focus here is on security engineering, but I think the same principles apply across most security areas. In each section, I try to use some hypothetical examples to suggest how to apply the thinking.

Before I dive in, there is something important you need to know that underpins everything about marketing. If you are going to sell or market to someone, then you need to understand as much as you can about the person or people you are selling to. Are they young or old? Are they technical or not technical? Are they passionate about the topic or passive? What are their priorities? Why do they care? What are their challenges? What tools and technologies do they use today? What experiences, good or bad have they previously had? Who do they respect and equally as important who do they not respect? The list goes on and on and on, but the more you understand about who you are selling to, and are able to put yourself in their shoes, then the more effective you will be about influencing them.

I believe strongly that former security practitioners and those embedded in the industry, have an unfair advantage because they already have this knowledge, and are by far the best security marketers. I am biased because I am one, but sadly we are few and far between. If you want to understand just how many people are marketing commercial products and services to you, the Cybersecurity Marketing Society has over 3,300 people on their Slack alone. Most marketers at security companies are not security practitioners and never have been, and it's very obvious. I will leave it at that. 

Branding

Branding is ultimately about showing people who you are. It is your identity. Many people think about branding as logos and colors, your visual identity, but it's a lot more than that. Your brand is about how you show up anywhere, and that’s how you show up under any circumstances. It is what you look like, what you sound like, what you say, what you stand for and how you behave. 

Brands are important because people emotionally associate themselves with brands that resonate, and disassociate themselves with brands that don't. I buy a lot of my clothes from NN.07, I fly Virgin when I can, ride Canyon and Factor bikes, and I love Apple products. I don't care about the quality of Stone Island or Moncler clothes, I am not a football thug and am not even looking at yet alone wearing any of their gear, period. I don’t fly on United Airlines, don’t drink Starbucks coffee, and am not going to use IBM or Microsoft software if I can possibly help it.

 So what does that have to do with operational security programs? I believe branding is as critical to an operational security engineering team working with developers, as it is to a commercial company. It’s simple, if you don’t appeal to the people you are trying to communicate with, it will be an uphill battle to get them on your side. Even more importantly, if you turn people off it will be almost impossible. Operational teams with a good brand are a tribe that people want to join, or at least are happy to listen to. 

People that join tribes bring their peers and before you know it, it is no longer them and us, it’s just us, security and developers working together as a team with shared values and a shared set of goals. This incidentally is why finding influential champions is important because they kick-start the peer group and peer groups associate themselves with brands, not just through natural attraction of the same things, but through peer association and even peer pressure. This is an important point if you are trying to appeal to groups of people across a large company. It's a tribe mentality which can be both a positive and negative thing.

GitHub, a company of developers making tools for developers, and a brand that myself and peers generally love, was bought by MSFT, a brand my peer group generally does not love. MSFT is very aware of this, hence why GitHub continues to be marketed independently. MSFT still gets some level of indirect brand respect by association and hopes it will help pull the GitHub fan club to consider Azure. I heard the other day that Azure DevOps Services now has more users than Github. This blew my mind.  Azure DevOps users are clearly not in my peer group. Peer association is very strong in communities, which is why if you look around at community events, most people are similar. This is something I will cover in a later part of this series. 

When most people think about branding they think about visual branding. People subliminally make up their mind about things fast, and visual branding is very much a case of ‘first impressions’. If a brand looks cheap, flash, old fashioned or the same as everyone else, I am personally not interested in what they have to say or what they are selling. I am instantly turned off. They have lost me at the first hurdle. The same attributes may of course be appealing to other people, it’s back to understanding your audience. 

Most security vendors look like they buy their visual brand from a Wordpress theme site, or all use the same cheap design agency. Sadly, in my experience most internal security teams are the same, with unappealing or lack-luster visual brands. The fact that cybersecurity is a very sexy topic for people who aren't in the industry is ironic. 

So why does visual branding matter for an operational security team? 

If I were running an operational security team today (and I am obviously not), I would make sure I have a great visual brand. Way back when I was doing it, the security team logo was like Microsoft Clippy. We had shields and padlocks everywhere, talked like we were the thought police and came across as aloof experts. I have told this story before but when I ran appsec for Charles Schwab almost two decades ago now, I was only able to get things done by moving from the security team building to the developers building. It wasn't that the security team was bad, in fact far from it, but we didn't have a good brand. Looking back the seed changed was that my personal brand was far better than the security team brand because I looked and talked like the developers. 

Positioning and Messaging

Positioning and messaging is about telling people what you do. The old school way to do this was through differentiation, making yourself look special and unique, but that's selfish because it's about you. Sadly it’s still common with cyber security tools vendors. My personal pet peeve is ‘We have raised a gazillion dollars in venture capital to fuel our growth’. No customers care, because it's about the company and not about helping customers solve their problems. It’s a giant negative, not a positive. Ironically it’s also not unique, when half your competition are trying to one-up each other with the same self-serving rhetoric.

A better way to position is to relate to the customer on an emotional level. Did Coca-Cola market themselves as the most valuable drinks company in the world? Did they market themselves as the best drink in the world? No, Coca-Cola's positioning success is that they don't just sell a drink; they sell happiness. “Coke - Taste the Feeling”. They even pull it off at Christmas with Santa delivering coke for the season of goodwill for fucks sake. It’s Don Draper level genius.

An even better way to position is what is called ‘positioning as a service’, a technique developed by marketing guru Seth Godin. Positioning as a service is understanding the customer, acknowledging that there is a set of choices they have, and creating a service that helps them cut through the noise of the options they could choose from to get what they need. If they want what you offer that's great, but it's also about helping them if another option is better for them. When you are clear what you do and helpful if that's not what they want, they will remember you and what you do if they change their minds, and often refer others to you. 

Good brands talk about their brand values. Brand values describe what a company stands for. 

These are the Virgin Groups values:

Virgin’s restless spirit of entrepreneurship, innovation and market disruption has built up a diverse group of companies, which underpins the Virgin Group’s 50 years of growth. At Virgin, we’re known for challenging the status quo and shaking up markets, while championing people and the planet. Virgin’s purpose is to change business for good and it is the very reason we exist. It is the lens through which we make all our decisions. Our values are what keep our people, products and partners on the right path to achieve our purpose while providing incredible experiences.

Imagine an operational security team, marketing to developers has brand values like these (obviously unwritten to emphasize a point) :

We are a team of reformed hackers, part of the legal and compliance department, and are in charge of making sure all the companies applications are 100% secure. We know developers write bad code and we are here to find it and stop. We have performed thousands of audits, stopping hundreds of applications going live from rookie security mistakes. We are the experts and you need to get our approval before you ship. 

Not a great brand identity right, but I once saw something like that at a Fortune 2000 company. Who on earth wants to join that tribe?

Now imagine an operational security team, marketing security to developers that instead has brand values like these:

Our role is to make your job easier. We are here to help. Since our inception, we have partnered with developers across the company to improve security, reduce the effort of security and improve release times. We know security can be hard and we don’t want to get in your way, so we are always working to find ways to make it easier for developers to develop secure applications and avoid surprises. We are here to help.

If you are a developer what team would you work with, the first or the second?

Some of the most well known brand values in tech are Atlassians core values. 

An open company, no bullshit, build with heart, and balance, don’t #@!% the customer, play as a team and be the change you seek. 

Like many people I am not a fan of Jira, but I will always give the company a look because their brand values resonate with me.

Brands have to keep their brand promise i.e. live up to their values. When people emotionally invest in a brand they trust it, they become an advocate for it and what it does. If teams or companies don't keep their brand promise, then people will not only leave the tribe, but often become an antagonist. CrowdStrike were once the darlings of the security industry, but have now fallen out of favor with a lot of people, and are a perfect and very topical example of this. 

In a later part of the series I will talk about field marketing, because where a brand shows up is important. Givenchy doesn't show up at the county fair, but does show up at the Paris Fashion Week. I guess it shows up on Canal St. in New York but that's another thing altogether. What events you attend as a security team, and where your brand shows up, is important. You need to meet your target audience where they are and that's as true in tools (think security checks as part of a PR in Github) as it is in real-life. BlackHat is an echo chamber, fine for selling security to security people, but don’t think you are selling security to developers. 

So why does messaging and positioning matter for an operational security team ?

As an example of how this knowledge can be used in an operational security program, let's look at a common problem that developers have, overwhelmed by alerts. First up you need to understand that they have other things to do, security is not their highest priority and they just want the problem to go away. Alert fatigue is a real thing and it stops developers doing their job. A terrible way to position yourselves as the security team would be ‘We are the official software security team, experts in hacking’. It's self-serving. A much better way would be to position yourself as ‘We help reduce the noise from tools, so you can get on with your day job’. That's the problem the developer is looking to solve and you have a solution. 

They might have come looking to get hacked, in which case point them to the red-team. That's positioning as a service.

It's worth also remembering that people position others. The famous Mac vs Apple ads is a great example of this.https://www.youtube.com/watch?v=1rV-dbDMS18. You don't want protagonists in development, you want champions. 

Every vendor understands that deploying tools is hard, so will position theirs as friction free. Most security teams who hold the security budget, want to push security back to developers (I think that's a very bad strategy these days but for another article if there is demand) so will also position their tools as developer friendly. As I described in the branding section, you have to keep your brand promise. It's like trust, hard to earn and easy to lose.If you are marketing the adoption of security tools to developers, and like me you know that despite everyone's hopes and dreams they are rarely friction free, it’s important you pay close attention to maintaining your brand promise. If you know a tool is noisy, you position your value as helping them reduce the noise, don’t tell them something you want to be true but isn’t. 

That’s part one done. I hope it was helpful or at least thought provoking.  part two on credibility and why when selling ideas or tools that you want developers to adopt, it's much better if you get someone else to do it for you.

Part one has covered branding and positioning, check. Part two covers credibility such as testimonials and case studies, and Part three (a big one) covers content marketing like help and docs, field marketing including events and communities. Previously I planned to post articles like this on the newsletter a week ahead of on the company blog and LinkedIn. It just hasn’t worked for my style and cadence of content so we are back to three ways to get content. Delivered to your inbox via the newsletter (signup in the footer of our website https://crashoverride.com, online at Linkedin or on the company blog. LinkedIn is the place for comments and feedback. If you find this useful, please let others know.