Printer Friendly

Selling security.

Selling Security

Motivating people to care about security is a tough job, but it's one of the most critical responsibilities of any security staff. All security programs depend on people to make them effective, and those people must be motivated to do their parts. Yet time and time again, we hear security officers complain

"Our boss doesn't care about security."

"Our management just won't support us."

"People just don't want to be bothered."

"The big wheels are always too busy for security." You hear this kind of complaint from professional defeatists, but you also hear it from dedicated, competent, energetic professionals.

One of our shortcomings in the security profession is that we don't look beyond our field enough to take advantage of ideas from other disciplines and professions. We see our situations and problems as unique when many of them are similar to problems faced by others in other lines of work.

We need to reach out beyond the world of the security profession and borrow a tool kit. This particular kit contains a set of tools that has been carefully developed to motivate specific people to do specific things, is the product of thousands of years of research and experimentation, is used by millions of people every day, and is used to plan and control the spending of billions of dollars a year.

The tool kit is a set of principles, strategies, and techniques used in marketing. If one of our key responsibilities is to get people to buy into our security program, then we're going to have to sell it to them.

In both government and industry, information security is the responsibility of management and all those people in the organization who work with the information. Security is not the security office's program; it's everyone's program. The security staff provides a service in carrying out this responsibility - establishing procedures, educating staff on the subject, providing quality control (oversight), and giving technical assistance. An important part of our job is to get our people, organizations, and managers to buy our service.

Also consider two more points. People learn all the time, not only in planned learning activities but also from everyday experiences. Their attitudes are shaped by their every contact with your security staff and program, not just by your motivation efforts.

The other point is that people react to their perceptions, not to reality. To influence their attitudes and actions, we have to influence these perceptions.

Tactics and Strategy

What sort of ideas will we find in the marketing tool kit? Ideas that can help us on two levels - to plan our strategy for motivation and devise effective tactics to get the plans to work.

There are dozens of examples of how marketing tactics can be useful in promoting our security programs. How about advertising? Do marketers use posters? Do we? Shouldn't we take advantage of all the effort they've spent learning how to make posters effective?

When we put notices and reminders in in-house publications, we're advertising. Good principles of print advertising should be very useful in helping us put punch into these items.

Even more important, though, are the lessons we can learn about marketing strategy. Before we use the tricks of the marketing trade, we need to spend some time and effort looking at what needs to be done to sell security to our organization and what strategies could pay off for us in doing it.

Marketing Strategy

As examples of applying marketing strategy to selling security programs, let's look at three basic concerns of marketers when they plan a marketing effort. These aren't all-inclusive, but I think these samples will let us see how thinking in marketing terms can help get a fresh and useful perspective. The following are three requirements for effective marketing:

* Establish the credibility of the seller.

* Create the proper positioning and product image.

* Promote customer satisfaction.

Credibility means that people must trust you and believe in your competence enough to respect and accept your judgment. There's an element of trust in every sale. We trust the seller to have represented the product or service fairly and accurately and be willing to stand behind it. If you're going to sell your security program to people, you have to establish that you are dealing fairly with them and will continue to do so.

In many cases, this atmosphere of trust doesn't exist. Most often, it's eroded when something goes wrong. When a security violation or similar incident occurs, how many of us take an honest and critical look at ourselves, our security staff, and our program, and shoulder a fair share of the blame? Or do we always look for others to be the targets of criticism and punishment?

Technical competence is another essential element of a seller's credibility. This means more than knowing your product in terms of being able to quote requirements and interpret the technical jargon. It means being able to explain the reasons behind the requirements and the practicalities behind the policies.

This is a very important consideration in marketing. Sales organizations spend a good deal of their training efforts building product knowledge and helping salespeople understand product benefits. The appearance of technical competence is also important. When someone asks a question about a requirement, take a moment to explain your answer. Let them see you actually understand the issues involved. Don't fall into the common habit of answering every question with a quotation from the Industrial Security Manual or some security directive. By helping people understand what's behind the requirement, you'll help them also to recognize your competence.

Credibility is also built by displaying a proper orientation to organizational goals. This allows your customers to feel confident that you understand their situation and share their concerns for good security while effectively accomplishing other parts of their mission. Take the time to get a clear understanding of the nonsecurity missions and concerns of the people you deal with, and let them know you understand. Positioning and product image. People in marketing and advertising spend a lot of effort and money to influence their product's position and product image. Position is the consumer's perception of where the product stands in relation to similar items that would compete for his or her buying dollars. Product image is the reaction you have when you see or hear about the product.

Positioning is often done in terms of cost. The auto industry is a good example. Some automobile manufacturers try to position a model on just about every rung of the cost ladder so they can compete with all the other manufacturers. Other manufacturers deliberately position their products at the high end of the cost scale as the ultimate in luxury vehicles.

Cost, however, isn't the only way in which products are positioned. Soft drinks provide an example of positioning in terms of a conservative-to-radical scale:

* Coca-Cola - conservative and traditional ("The real thing.")

* Pepsi-Cola - modern and progressive ("The Pepsi generation.")

* Seven-Up - a complete break with tradition ("The un-cola.")

* Dr. Pepper - so radically different, you'll join a select elite if you drink it (Wouldn't you like to be a Pepper, too?")

Product image is a bit different - it's the image or impression that marketers hope will spring to mind when you see a product. A product image is the answer to the question, "What's the first thing you think of when I mention _____ ?"

A well-implanted product image can then be used as a cornerstone for a marketing effort. For example, Charmin = soft, Cadillac = expensive, IBM = big, Jordache = stylish, and Maytag = dependable.

What about product image and positioning of a security program? First, what is its product image? When people in your organization hear the word security, what do they think of? Unfortunately many people would think "hassle," "trouble," "administrative nuisance," "dangerous," or "stumbling block."

Security has a negative product image for many people, and it's our own fault. We in the security business have allowed it to happen and in many cases have caused it. Hardly anyone begins his or her working career afraid of or resenting security programs. Our program's product image is based on what employees see, hear, and experience.

We promote a negative product image in a number of ways. When we do inspections clearly aimed at finding fault, we're forming negative impressions of our programs in an employee's mind. When we concentrate on administrative nit-picking, we're sending signals that there's nothing more substantive to the program. When the security staff complains about policies and requirements, we're encouraging people to see our program as worthless.

There's also another negative security habit - the practice of scrambling to hide in the rule book whenever faced with a question. "Why do I have to do such-and-such?" asks the employee, and the security officer automatically responds. "Because paragraph 3-402 of the Army regulation says so." That's supposed to settle the issue and satisfy the questioner. Consider not just what the security officer said, but also what the employee may decide he or she has heard. For example, perhaps "The regulation says so, and that's all i know, because I really don't know my job." Or "The regulation says so, and there's probably no other reason, because the security program's just a bunch of meaningless rules that serve no real purpose." Or maybe "The regulation says so, and I'm not going to explain it further, because I can't be bothered giving you a better answer." Now, none of these interpretations is true, and they aren't what the security officer meant. People react to their perceptions, not to what's true or what we mean.

Do I mean you shouldn't refer to regulations when answering questions? No, not at all. But don't let citing some directive be your whole answer.

Common courtesy demands that we give someone who asks us a "why" question the respect of giving the best answer. It's an opportunity for us to educate people, to help them recognize the good reasons behind security rules and see that the rules serve a purpose and can make an important difference. Point out the requirement in the directive or manual, but also let them see the reason behind it. The product image you're promoting when you do this? "Security = worthwhile."

To determine positioning, you must ask this question: Where does our security program stand in comparison with all the other programs and responsibilities competing for time, attention, effort, and resources?

Positioning can occur on many different scales of measurement. Let's look at two good examples - importance and effectiveness. The scale of importance might run from mission essential to administrative nuisance.

Where does security fall on the scale? If we concentrate on paperwork and neglect substance, if we spend inspection time nit-picking forms rather than digging into program quality, and if we fly into a righteous rage if someone doesn't have all the records straight but ignore the hard questions of system effectiveness, we position security far down into the paperwork hassle category. We almost guarantee that every other program and project will compete successfully against it for emphasis and effort. We need to help people draw clear and compelling connections between the security program and the mission, to be sure they see clearly that the program can make a difference, and lead them to understand that their participation is critical, not only to the security program but also to the organization's reason for being.

As for effectiveness, the scale might run from highly effective down to futile exercise. In the early 1970s leaders at the highest levels were concerned about leaks and unauthorized disclosures of classified information. Though administrations have changed, this concern has continued. In the 1980s came the flood of espionage cases that have become so familiar - the Walkers, Pollards, Pelton, Chin, Scranage, Bell, and Harper. These cases have provided a marvelous means of demonstrating to people that espionage is a real threat and can happen just about anywhere to just about anyone.

The complaints about leaks have let us show the folks in our activities that someone does care. But have we been sensitive enough to a possibly dangerous effect?

I've been hearing a particular kind of problem raised by security people lately: "How can you get people to care about information security when they figure it's all going to end up in some magazine or newspaper anyway?" There's a similar comment: "People don't see why they should go to all the trouble of protecting secrets when somebody like John Walker just hands the stuff over to the Russians anyway."

These are tough and nasty issues to tackle, and we have to respect these people's attitudes, but to let them go unanswered and unchallenged just helps position security as a waste of time.

People are hard-pressed to care about and support a program when they believe it's an exercise in futility. But being defensive only signals that you have something to be defensive about. This is a case where reasonable, respectful discussion is essential, and logic is your best tool.

Positioning and product image of your security program are dependent on people's perceptions of it. Influencing those perceptions is something we can all do effectively if we think of it - and try.

Joseph A. Grau is the chief of the information security division of the Department of Defense Security Institute.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:part 1
Author:Grau, Joseph A.
Publication:Security Management
Article Type:column
Date:Nov 1, 1989
Words:2217
Previous Article:The Loss Prevention Manual.
Next Article:Dangerous waters.
Topics:


Related Articles
Financial ratios.
Column gages - holding their own.
Random Samples
Reading stock tables is fundamental.
Decision in ISCO litigation regarding Swift columns. (Executive briefing: news, trends & market intelligence for instrument executives).
Components and accessories: a new acquisition strategy.
Zero banners, 1,200 tickets, 100 columns.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters