A-LIGN’s SVP of Marketing, Brian Gladstein, has been sharing ideas and best practices for getting the word out about your cybersecurity assessment. As the final post in this series, Brian discusses sharing your cybersecurity assessment with your professional community and how to promote your commitment to their security.
Recently I’ve been sharing ideas and best practices for getting the word out about your cybersecurity assessment, and how your SOC 2 report, ISO 27001/27701 assessment, or FedRAMP certification can demonstrate to customers and business partners the commitment you make to their security. If you’ve been following along, you first learned how to announce your cybersecurity assessment with a press release. Then, we talked about how to best feature this assessment on your website and next we dove into how to win more deals by arming sales with your assessment. If you haven’t been following along, take a few minutes to check these articles out!
As my final post in this series, I would like to share with you how one more method – perhaps the most rewarding method because it’s the most personal. It’s time to talk about sharing your cybersecurity assessment with your professional community.
Why should I share our assessment with my professional community?
At first you might think, why would I do that? What you may not realize is that not everyone has been through the cybersecurity audit process. Many members of your community may be new to the idea, unsure of where to start and feeling a bit overwhelmed. Audits can be intimidating. Chances are, you learned a lot during this process – and others starting down the path will no doubt benefit from the wisdom you’ve acquired.
As security professionals, we are all eager to learn, improve and do better. Since you’ve successfully navigated an assessment, you now have something to contribute to not only your community but conversations occurring on social platforms, like LinkedIn or Twitter.
I’d go so far as to say: it’s your obligation to contribute and teach others what you’ve learned. That’s what we do in cyber.
Talk about your security program, without actually talking about your security program.
I’ve been in the cybersecurity industry for a long time and, as a marketer always trying to get customers to provide a testimonial or participate in a case study, one hard reality about the security industry is that people are extremely hesitant to talk about their security program publicly. It’s understandable because of the inherent risks associated with sharing too much information. Why give an advantage to the adversary? If you disclose, for example, what products you use, you might open yourself up to an attack from a hacker who has an exploit for that particular product. It can be scary stuff.
This overarching concern sometimes does a disservice to the cybersecurity community because people may not share important lessons learned that can actually make a difference. That’s where your assessment opens a door.
Your assessment gives you a way to talk about your security program without actually talking about your security program. Use your cybersecurity assessment to publicly discuss controls, best practices, policies, incident response, problems you’ve solved, and more. In the context of the report, you find a rich supply of information and a way to discuss it that doesn’t require the disclosure of sensitive information or how you are operating your security apparatus.
You get to share important lessons learned in a safe way – it’s a win/win for everyone.
Cybersecurity professionals: Detectives, problem solvers, heroes
Listen, attackers need to work together. We are stronger when we do.
The bad guys are working together – there’s an entire dark economy out there that of malware, exploits and botnets that can be assembled to execute attack after attack. Smart defenders know that to protect against these coordinated, complex threats, we need to do the same thing on our end.
By nature, security professionals want to share their intel, knowledge and best practices with each other – it’s what we do! As a cybersecurity professional, you are a detective, a problem solver, a hero. Get out there and tell your story. Your community needs to know and we will all be better for it!
Four practical ways to share your cybersecurity assessment
There are a number of ways to share your security assessment with your community. Here are four that come to mind:
- Speak to other professionals, one on one. Discuss what you learned during your assessment, where your gaps were and how you addressed the gaps. Answer questions that people are asking individually. You’ll quickly learn what to say and what not to say so you keep sensitive information to yourself, while still passing on your knowledge.
- Give a talk at a local chapter meeting of ISACA, (ISC)2, OWASP, or any other regional security meetup. It’s a safe setting where people gather to learn directly from each other and hey, it’s what members are there for. Lay out some of the core elements of your security program and how you and your auditor worked together to provide assurance.
- Microblog on social media. LinkedIn and Twitter are great places to drop little pieces of your story and lessons learned. You’ll help others and build your own reputation while creating buzz for your company.
- Apply for speaking engagements and ‘calls for papers’at larger conferences. You may have a story that lots of people want to hear, and events like Blackhat and the RSA Conference are great venues for just that. Don’t feel comfortable taking the stage alone? Find a trusted vendor and they will almost certainly help you create slides, tell your story, and network with people at the event.
As a cybersecurity professional, you are on the front lines protecting information, protecting our families, protecting our businesses. Your assessment report demonstrates that you are doing the right things, and there are thousands of people out there who can benefit from your knowledge. Get out there and tell your story. And as always, if you need help, give me a shout!