Shostack + Friends Blog Archive


Not Selling But Marketing

As promised last week, I have more to say on selling security. Well sort of. Actually, I’m going to try a new approach. I’m increasing convinced that to get real attention on security, we need to stop thinking about selling, awareness or even training users. We need to be marketing security, more specifically we need to be creating passionate users.
I’m hoping that I’m not going to get Mordaxus’s dander up to much with my semantics, but I think this is an important distinction Kathy Sierra explains far better than I can in “Marketing should be education, education should be marketing“.

Do you want passionate users? Educate them. Do you want passionate learners? Sell them. If ever there were two groups who ought to trade places–and especially research — it’s teachers and marketers. Our mantra here is, “Where there is passion, there is a user kicking ass…” and by “kicking ass” we mean “being really good at something.” In the post-30-second-spot world, the marketing department should become the learning department. Meanwhile back in schools, teachers should become…marketers.

So my recommendation is make friends with your marketing department. Find someone who is interested in security and get their assistance in putting together an effective program. In brief, the goal is to have a company full of people who care about security. This means not telling them what they can’t do, but telling them how they can help the company. Is this just spin? Yes. Am I talking about indoctrinating users? Yes. Will it be far more effective than telling users not to click on attachments in email. I think so…
[Edit: The Security Catalyst had a post yesterday talking about similar issues]
[Image is the cover of Citizen Marketers]