Leveraging software development lifecycle security as a go-to-market differentiator is imperative in setting companies apart from competitors. As Coalfire’s Cloud Advisory Board and my colleague Gail Coury eloquently pointed out in our recent Securealities Report, Smartest Path to DevSecOps Transformation, expectations for customer assurance are too high for corporations to treat security as a trade secret anymore.
Today, everyone is cybercrime aware. If they’re not demanding it already, just about every B2B and B2C customer will soon expect up-front assurance from their providers that security is 100% present and accounted for. This also goes for vendors, suppliers, partners, regulators, courts, utilities, governments, countries – everyone.
“Boards and C-suites are more attuned to enterprise security risk than ever before. So are vendors, suppliers, and customers. It’s about time. We’ve been talking about using “security as a marketing tool” for years, but the time for talk is officially over.”
– Gail Coury
Coalfire Cloud Advisory Board
CISO and Senior Vice President
Key takeaways about security in the competitive market
The goal is to instill in constituents that security is at the core of every relationship and is baked into your company’s DNA.
- Incorporate security and trust into messaging alongside features and specifications.
- Understand that competitive differentiation is a team sport that requires knowing how to talk about being secure internally and externally.
- Ensure customers know that both you and your supply chain are secure – and be able to back that up with certifications and proof points.
This part of the value discussion has evolved over time, where security and the currency of trust can be looked upon as marketable business factors with measurable returns on investment. As the interface between customer and company becomes more digitized, customers want to rely on the company’s entire digital landscape to keep their identity and data protected, assure business continuity, and prove that the user interface is a security comfort zone where buyer and seller can streamline their work together with minimal frustration.
Ways to tell your story
The most effective go-to-market tactics, starting from the top:
- In-person discussions/workshops as part of the purchase process
- Publication of compliance reports and penetration testing results
- Maturity score/benchmark against frameworks, industry peers, etc.
- Customer-facing collateral providing detailed technical/security blueprints
- Security rating by third party, e.g., BitSight, Security Scorecard, etc.
Pathways to competitive differentiation
Look in the mirror. Security pros have been viewed by coworkers as dogmatic rule enforcers for far too long, mainly because security leaders traditionally have not been as closely aligned to the business as other leadership roles. It’s time to evolve away from this image and contribute business perspective if leaders want the organization’s cyber effectiveness to mature and keep up.
Safe supply chains, safe vendors. Sharing your company’s security persona and posture with influential colleagues in your supply chain is critical to marketing and communications. Customer data and identities are exposed to new threats daily, and they need to feel protected in a world where network perimeters are crumbling around them.
Evangelize executives. To get everyone thinking about security as a marketing tool and revenue driver, start by initiating conversations with your board and executive leaders. Instead of being an expensive bad copy that peers within your organization look to avoid, push your department to become a repository for answers on how to empower business and security together.
Have customer conversations. As part of any pitch or proposal, include an element that shows off your certifications, and educates prospective customers about how you will develop and apply security controls and contingencies on their behalf over time. People of all technical aptitudes need a helping hand to understand what protections are needed and are in place, and how to bring those messages back to their own customers and internal departments.
Frameworks – the new seal of approval. Security frameworks have evolved like wildfire over the last few years. Markets and marketers barely knew what frameworks were until the proliferation of GDPR, CCPA, CMMC, ISO, and others started taking center stage. Now they are quickly embedding into the collective consciousness and even the least technical among us understand their value as security seals of approval.
Be the enabler. Have conversations with your heads of marketing so in turn, they can integrate security messaging into their GTM efforts that relay those value propositions to customers.
Secure the code. With digital transformation, security is more important to ensuring brand integrity and customer trust. It’s time for us technologists to become true business leaders. Help developers by sharing security responsibilities and doing the right thing by integrating secure code from the get-go.
- Model threats together in the first agile team meeting
- Reward security excellence in development lifecycles
- Educate executives, employees, vendors, suppliers, and customers
- Make sure development security is baked in from the first scrum to end of lifecycle
Walk the talk
For every business unit and department, always ask: How are we integrating security into our daily work activities, and how will it improve the customer experience? Only when you have the answers can you confidently market your organization as one that cares about security, and as one that is fundamentally mature in its cyber mission and culture.