One of the key challenges in building a security program is getting active participation from across the organization, from line workers to top management. All of these people have “day jobs” and security is too easily put out of mind.
“Why Every Project Needs a Brand (and How to Create One)” appearing in the Summer issue of MIT Sloan Management Review has ideas to address these challenges. Professors Karen Brown, Richard Ettenson and Nancy Hyer base the article on their research on project success and failure in a variety of industries. I believe that security projects and security programs can benefit from their ideas, perhaps even more than projects with tangible business goals. Opening a new factory has built in branding and awareness with clear and concrete goals and visible milestones along the way. But security programs often operate in the background and branding must be more deliberate.
The five P’s of project branding, according to the authors are: Pitch, Plan, Platform, Performance and Payoff. These efforts go hand in hand with the actual project efforts, from start to finish. The 5 P’s really focus on overall communication efforts between the security team and the rest of the organization. The Pitch is the initial presentation to management, answering the question “why should we do this?” For security it needs to address issues such as: reducing risk, satisfying customer demands, meeting compliance requirements, improving efficiency. The Plan is the time to bring in a broader group into the planning process. This helps ensure that the security initiative will be successful and helps guarantee that participants will be on board after rollout. The Platform is the vehicle by which the Plan is communicated within the organization or to effected third parties. Performance includes communication of project results during the rollout phase. Obviously it assumes success, but even that is not enough, if not appropriately communicated to the enterprise. Finally, Payoff marks the completion of the initiative. For example, this could be a celebration marking a successful audit result or the final implementation of an automated identity management system. Without a clear “end point” in the project, participants may feel that their efforts have not been worthwhile. This in turn, will effect their continued participation in this or other security efforts.
Branding is all about communication with stakeholders. It importance in security programs results from the fact that everyone in the organization is a stakeholder in the organization’s security.