How marketing principles can be used to enhance cybersecurity training

Marketing psychology has influenced each of us; experts suggest it could help reduce the angst of cybersecurity training.

Securing a laptop

Image: iStock/structuresxx

Depending on your point of view, marketing is either fantastic or downright evil. What people can agree upon is how successful marketing is at convincing them to do something, even though it was the very last thing on their minds.

There's a reason why candy, soda and a myriad of useless trinkets are conveniently placed at checkout counters. It's a marketing principle called the Four Ps--product, price, place and promotion of goods or services. 

SEE: Identity theft protection policy (TechRepublic Premium)

In his blog post, The Six "Ps" of Marketing, Bill McKendry, founder and president of DO MORE GOOD suggests that, in today's digital world, there are two more, and they're the most important:

Participation: Put simply, those responsible for marketing need to create opportunities for their audiences to express themselves about a product or service.

Purpose: It may seem obvious that a well-defined and focused purpose is not only important, it is desirable. McKendry added, "For those who come in contact with any idea, group, service or offering today--donors, volunteers, staff and those whom you serve--everyone wants to be associated with organizations that have a clear and compelling purpose."

McKendry also mentioned, "I believe 'purpose' is the most powerful element of any marketing mix as it can and should be the driver of every other aspect (and 'P')."

What does this have to do with cybersecurity?

There is a dilemma when it comes to cybersecurity training. Most would agree cybersecurity training is vitally important, but when it comes time for training, the story changes, with most people preferring not to attend some cybersecurity seminar or class.

This is where marketing comes into play. In her article for InfoSecurity Use Marketing Principles to Gain Employee Buy-In and Results Ashley Rose, CEO of Living Security, mentioned: "As a marketer turned cybersecurity business owner, it's clear to me that traditional approaches to cybersecurity training have failed. Cybersecurity professionals and business leaders need to apply basic marketing principles to make their organizations safer."

Rose offers cybersecurity professionals and business leaders five marketing principles she believes will improve the safety of their organizations. What's interesting is how they all support McKendry's two new "Ps": participation and purpose.

Get audience buy-in (Participation): Security training is typically mandatory. "Businesses require their employees to go through training to check a compliance box without explaining why security matters," mentioned Rose. "This is essentially the 'because I said so' approach, and it works about as well here as it does when I use it on my 10-year-old."

It is apparent to Rose that no matter how many employees go through training, cyber events will continue unless people understand why training matters. Rose added, "Security leaders need to provide context about types of attacks, why they are everyone's problem and what to do when they happen."

Don't force-feed everything at once (Participation): Rose asked who would read a 10-page white paper sent by a marketing firm and be convinced to buy what was being touted. "You can provide regular training sessions that go into greater depth but complement them with snack-sized sessions that employees can nibble on," suggested Rose. "Follow up bigger trainings with short quizzes and lessons to reinforce what was covered in the bigger sessions."

Test and measure (Purpose): We all can attest that marketers are proficient at using data to measure which tactics and strategies are most effective. Marketers:

  • Undertake A/B testing of different messages and content to see which land better with audiences.
  • Analyze what social media posts get the most attention.
  • Know which calls-to-action lead to a behavioral change.

Rose believes those responsible for cybersecurity should be doing the same thing:

  • Quiz employees after training to see what they learned--and where there are still deficiencies.
  • Follow up over time to see what knowledge is retained and where vulnerabilities are growing.
  • Track which video lessons are getting watched and whether they are being viewed until the end or turned off after 10 seconds.
  • Crunch the data to see if there are trends in specific departments or roles.

It doesn't have to be boring (Purpose): As mentioned earlier, cybersecurity training is serious business, but Rose believes it does not have to be dull. "Use interactive videos and games to make it something employees look forward to," mentioned Rose. "Introduce some friendly competition to motivate them. Challenge the sales team to see if they can do better on a security quiz than the engineering team."

Optimize for results, not participation (Purpose): This is one of the times where purpose supersedes participation. Rose emphasizes the goal is to be more secure, not just getting people to take the training. "It doesn't matter if 100% of your employees undergo training if one of them still clicks on a phishing [email]," Rose added. "That's the problem with training programs designed for compliance."

Final thoughts

Rose is aware that marketing principles are not a cure-all, but they can close some of the existing gaps, ultimately making everyone safer. Rose concluded by asking, "Why not learn from what has been working for marketers and apply those lessons here [cybersecurity]?"

Also see