I’ve always thought that information security teams should create a brand for themselves and act as an internal consultancy function. If you have a marketing and/or PR team you could use their expertise in doing this and even if you don’t, you can do a little research and see what techniques are used in those fields.
Anyone have any thoughts on this?
Hi Mo,
I think you are spot on with this. Interacting with those who knows how to do a thing (communication in this case) is always a good idea IMO.
I know a large oil-service company used their internal marketing resources, as well as an external agency, to create a well-crafted message that yielded great results.
A different approach was done by a financial organization, who put a PR/communication person in the CISO-role – as they recognized that the CISO is more about information than anything else. This company also implemented a well-crafted series of campaigns that made a great impact on their security branding internally.
How would you invite such persons on board your security program?
Building awareness programmes such as the organisations above is a good start. Personally, I like the idea of building awareness that also crosses over to an individual’s personal life. As most of the messages for their home environment map to the business environment.
If this is done correctly, it essentially creates behavioural change thereby getting people on board.
Thoughts?