Cyber Security is not something that many engineering teams consider automatically, in the same way that it’s common that engineering teams rarely consider the data governance or legal implications of the product they are looking to build. The team is there to solve user stories, real or imaginary, and the external factors, such as security, may only be considered once on the journey to delivery.
As security people we recognise that directing changes early has the lowest impact on delivery. But making cyber security integral to the delivery path is to have a dedicated person on each team gets expensive fast. Either as additional effort for each team, or as gatekeepers blocking releases.
Instead cyber security teams must accept that security will be included in the delivery at some point and make it our responsibility to intervene and educate engineers so that they can effect changes, or ask questions, as early as possible.
This thinking made me want to explore how to create more intervention opporunities by improving communication in the early stages of a delivery.
One industry that I realised is good at making people change their thinking was marketing.
Marketing, to me, has a strong association with unethical practices, but tweaked in the right way I wanted to see if there might be some re-usable techniques to change people’s thinking about cyber security.
I reached out to my friends in NCSC because they have a responsibility to do exactly this, communicate to the general public to suggest ways to improve their security so that money and people’s data doesn’t get stolen.
From there I was directed towards some academic research titled Can we sell security like soap? which is a wonderful analogy.
The thing that I liked though is the concept of Social Marketing. As a side note, I want to be clear this is different from Social Media Marketing, and while looking for books on Amazon it also gets it mixed up.
Unfortunately I’ve not yet been able to identify a set of guidelines that help me. A lot of what I’ve read so far seems to originate from academia without much grounding it in the practical working world.
But perhaps that’s the point. As people working in Cyber Security our responsibility is to take what has been writen and turn it in to something consumable that will make others more effective.