To many non-technical enterprise departments, IT—and particularly security personnel—are viewed as “Uh-oh… here’s the party pooper!” They’re the ones who are always seen as the people who say No. Yet, one IT executive has found a way to make security part of the company mindset… and to get the message across at the board level. Dr Cladia Natanson, chief information security officer at Diageo, has accomplished this impressive feat by treating security as a brand to be marketed, not a service that’s grudgingly tacked on to business-as-usual.
In her keynote address Thursday at the Executive Women’s Forum: Information Security, Risk Management & Privacy, Natanson said, “I don’t have a security program; I have a product.”
You may not know Diageo’s name (I didn’t), but you do know its products, which include Guinness, Baileys, and Tanqueray. The $50 billion company has 180 markets, 22,000 employees, and —very obviously— a marketing-centric corporate culture. In everything Natanson does, she’s selling security. “I need my end users to buy into this if I’m to sell it,” she explained. That means developing a look, with different “packages” for different user groups; and it means themes, like “Data Safe” (complete with a video ad for employees that sells them on improving laptop security). “I’m going up against Johnny Walker and Gordon’s Gin,” Natanson pointed out.
As just one example of how far she goes to embed security as a company internal brand, Natanson requested—and got—a “themed” conference room. Every company names its meeting rooms (CIO has several named after candy bars; I’ve seen other firms with town names or tree names.) At Diageo, each brand has its own themed meeting room whose decorations include cocktail recipes using, say, Bailey’s or Gordon’s gin. Now, the security team has its own “Cool blue” room which highlights corporate Bluetooth and WiFi capabilities, with “security cocktails” posted on the walls. “The chairman has drunk the password policy,” Natanson said.
Her efforts to sell security as a product are far more than a marketing gimmick. It’s a full marketing campaign intended to show how security (and IT) are part of the company’s value. “You need to be seen as part of the business instead of outside it,” she said.
One element is customer relationship marketing. In this case, it means that Natanson gets a one-hour meeting with every executive, including the chairman of the board, at least once a year. And she spends the time listening. That’s when she asks about the big ideas for the year, and what they’ll have to do to achieve those goals. Because she learns early what’s coming, Natanson explained, she can “become part of their leadership programs.” Instead of taking on a security role of scaremongering, she understands their needs early, and can show, “This is how I am adding value.” And, though she never mentioned this directly, she can embed security into the product and IT design at the very beginning of the process, where it belongs.
“My brand is data,” she said.
I think it’s reasonably obvious that I was blown away by her presentation. We’ve long talked about IT being part of the business, but I think that even managers can get lost in the techie details. Marketing people are used to thinking in terms of feature/benefit, feature/benefit, but IT folks continue to talk about features rather than the business value. Natanson brilliantly, I think, adopted the corporate culture and, by speaking their language, has successfully gotten her message across at the board level.