At a recent security luncheon for CIOs, someone raised her hand and asked a question as tired as the menu in the corporate dining room: How do you convince other executives of the need for information security? The answer was an equally predictable one about giving scary newspaper articles to the CFO. Fear, uncertainty and doubt. Next course, please.
What if — dare we say it? — the CIO actually found a way to market security as a competitive advantage?
It's not a new idea, but it's an unconventional approach that at least one CIO has decided to try. Sean Scott, CIO of North Carolina-based Womble, Carlyle, Sandridge and Rice LLC, is in the midst of improving his law firm's security, and his justification sounds like something out of the mouth of a marketeer. "I'm trying to position myself so that in two years, when I think security is a major point, we'll be ready," he says. "We're definitely moving toward positioning our law firm in a very competitive way to provide more secure services for our clients."
Note the use of the word services — of security not only as a way to prevent intangible losses but also as something to be used. Two examples: Scott's firm offers not just extranets where clients and attorneys can collaborate on documents, but secure extranets. And while most law firms give their own attorneys the means of sending and receiving encrypted e-mail, Scott makes sure that clients have encrypted e-mail as well. An attorney trying to attract new business can say, "You don't have to go out and buy encrypted e-mail to do business with me. I'm paying for that service so that you can have it." Again that word service. Security vendors use it all the time. Why shouldn't CIOs do the same?
So far, Scott hasn't marketed his security outside the firm, aside from allowing the vendor Counterpane to issue a case study. But he thinks that will change. "I do see us adding this to marketing material, just to comfort [potential] clients that we're safer than the typical law firm. I don't think It's going to be on the cover page."
It's a risky approach — some might even call it a gimmick. Aggressively broadcasting your security prowess - like Oracle did with its "unbreakable" campaign — is tantamount to putting a "kick me" sign on your back. There's no way to prove that your security is the best, but there are many ways for hackers and even unwitting employees to prove that your security is not the best — which would be doubly painful if you had been running around boasting that your whites were really brighter than anyone else's.
But I like the approach anyway. It raises the bar and makes security part of the dialogue, an investment to be proud of rather than something to cower behind. A little creative marketing could go a long way toward convincing other executives to spend money on security. If it also helps you get customers, then all the better. So put something new on the menu. Who knows, maybe people will bite.