By Tina Meeker
June 16, 2021

Whether you have an MBA, an undergraduate degree in business or took a DECA class in high school, you likely are familiar with The Marketing Mix (or 4 Ps) Product, Price, Placement and Promotion. In simply put marketing speak, ‘Product’ is the thing you are selling, ‘Price’ is the cost of the thing, ‘Placement’ is targeting your customers (think demographics or “target market”), and ‘Promotion’ is how you let people know the thing exists AND that they need it.

According to Merriam-Webster’s Dictionary, Marketing is defined as the process or technique of promoting, selling and distributing a product or service. 

Many CISOs and security leaders are in a position where they need to advance many initiatives (products) to various groups (placement).  Each group is going to need to be educated on what you are doing, why it is important (in terms relevant to them) …AND why they NEED it (promotion).  To do this, you will need to ensure your stakeholder group(s) are not subject to overly cumbersome controls or processes (price).  See what I did there?

Let us start with the first P which is Product.  What are you selling?  Your role as a security leader or practitioner is to influence non-security practitioners. This means your constituents need to have a clear understanding of how your goals appear to them (in their language), how they make your organization more secure and most importantly how your initiatives are going to impact their specific department or area. As an example, say you are implementing a new privileged account management platform.  To most people outside infosec, the concept of privileged account management (often called PAM) will be received like the “wah-wah-wah” teacher in Charlie Brown.  You need to clearly explain what it is in business terms (it helps us secure the highest risk account passwords so they are not used in an attack).  Also, explain the benefits in a way that will help gain their support (your team will not have to remember complex passwords anymore).

Now let’s talk about the second P, Price. To do this, we need to talk about the concept of security capital.  Security capital is the change impact your security efforts have on others.  You as a security leader/practitioner only have a couple arrows in your quiver at any one time.  Where will you use them?  Your organization will only absorb so much change at any one time.  Are the controls you are imposing too cumbersome?  Are you adding extra steps for people that will potentially cause push-back?  Are you driving an effort during a peak season?  Does your user base have the right knowledge and training?  Can you consider a pilot group to start from and flex enterprise rollout based on learnings?  To land on a ‘price’ that your user base can accept, you need to approach it in a way that ideally works within their existing processes (if possible) and ensures they have the confidence and skillset to do their part (training).  You also need to demonstrate you are taking a risk-based approach while appreciating their need to be efficient and agile.  Using the PAM example, the price is the work involved for the user base to adopt and codify the capability into their processes and toolsets.  If you can IMPROVE their efficiency, the ‘price’ will be more easily accepted.  If your constituents have an alternate tool/platform that achieves the same control objective, there is no need to pull the rug from underneath them.  Work with them.

‘Promotion’ is probably the most straightforward to explain. You have socialized your product and impact.  Now people need to know this is happening and what their role(s) will be. This is around how you are generating awareness. Who are your primary stakeholders?  How will you reach this group?  Which channels are available to you and what messages are you trying to get across? Do you have a skilled communicator on your team (if not “borrow” someone outside your team who has this skillset)? If you work for a middle to larger size company, working with corporate communications and/or organizational effectiveness partners is imperative.   Going back to the PAM example, you will need to identify the team(s) that operate with higher volumes of privileged accounts.  Start with the highly regulated groups and/or highest risk areas and expand outward after.  Listen to feedback and make (and communicate) adjustments along the way.

‘Placement’. We cannot be everywhere at every time. What areas of your company are highest risk?  We talked about the limited arrows in your quiver.  Where will you point the arrows?  These are the areas where you should be spending most of your time and security capital as mentioned above. Select pilot groups that will offer a wide swath of use cases if possible so you can capture edge cases. 

In closing, the Marketing Mix or 4 P’s can help you drive and gain buy-in and traction for any security initiative.  We used PAM as an example, but it can apply to any scenario where you need end user acceptance. It is really around building credibility and trust and demonstrating an appreciation and empathy for business impact.

Tina Meeker is a highly accomplished Senior Information Security & Compliance Executive and Entrepreneur with more than 15 years of success in the retail, banking, technology, and medical device industries. Tina is currently the Sr. Director of Information Security at Sleep Number Corporation and has held executive cyber security leadership positions at Best Buy, Inc., Shutterfly, Inc. and Target Corporation. Full bio.