Gloo has been writing about cybersecurity for years. As a relatively recent addition to the team, I interviewed our resident specialist to find out more about the topic and what clients are looking for.
What is it about cybersecurity you find so interesting to write about?
Well, I find the topic itself fascinating. It’s something that touches our lives everyday—whether it’s keeping your email secure, enabling ecommerce or using WhatsApp. And after doing it for so long, over ten years now, I feel that I can hold my own in conversations with experts and ask the right questions. So, I’m always learning, which I love.
Another key factor is the data. We do a lot of work based on surveys and desk research, but cybersecurity is one of the few areas where we get real data that we can analyse and visualise. In fact, we did a great piece recently where we ran a large survey and got lots of incident data. Comparing people’s sentiments with real world data was really interesting.
What are the challenges?
There are so many things to consider with cybersecurity, not just for businesses but from a marketing perspective. How do you grab peoples’ attention without overhyping the threats? How do you find something new to say? It’s a challenge making something that most people would rather not think about interesting, and get them to want to do something about it.
How has cybersecurity marketing changed?
Ten, even five, years ago it was all about FUD: fear, uncertainty and doubt. We often had to talk clients away from the edge. I remember many occasions where people wanted to say that a single breach was guaranteed to bankrupt your company. Fortunately, my knowledge of the topic meant that I could reel off examples—Sony, Anthem, etc.—to prove that it wasn’t true and convince them that saying so would damage their company’s credibility.
Today the conversation is much more about risk and helping businesses to make more informed security decisions. And the quality of information has gone up massively. Part of that’s thanks to forensics, which not only help find the culprits but help investigators understand how they did it. Learning from the mistakes of others is an effective approach, even in cybersecurity.
How has what clients ask for changed?
While the messaging has improved, the amount of content has mushroomed, making it harder than ever to make your content stand out. Clients increasingly want content that’s tailored to a particular group—say healthcare companies or SMEs.
I remember the first time we suggested a summary report on cybersecurity aimed at a business audience. The product experts weren’t just not keen, they were determined to block the project. They thought that “marketing” and “business speak” weren’t appropriate and wouldn’t go down well with their traditional audience of CISOs. We pushed for the idea and it went on to be a great success. But we still got the same reaction when the following year we suggested doing vertical sector summaries.
How has the conversation around cybersecurity changed?
Companies can be reluctant to tackle topics like cybersecurity—particularly the big tech companies. They don’t want to offer an opinion for fear of it coming back to haunt them. But all companies make mistakes and will inevitably experience a security incident of some kind. It’s knowing how to present yourself as a leader that is proactively tackling security issues head on that will gain the most success.
The truth is that you can’t make anything completely secure—systems need to be resilient as well as robust. Companies need to be able to get back to normal as soon as possible, with fixes to prevent the problem recurring. A cyberattack may not bankrupt your company, but not being able to offer services to customers certainly won’t help your reputation. That’s why learning how to reduce downtime and return to business as normal is one of the most talked about areas of cybersecurity today.
What are some of the biggest mistakes you’ve seen people make?
This makes me think of one of my favourite quotes:
“To keep doing the same thing and expecting different results is the definition of insanity.”Albert Einstein
There should be a corollary that to keep doing the same thing and expecting the same results forever is also pretty foolish. Too many companies never review security measures that they’ve had in place for years. Just because something worked last year, doesn’t mean it will work this year. Cybercriminals are constantly updating their methods and techniques. If you’re not keeping yours updated too you could be putting yourself at greater risk. Effective cybersecurity is all about understanding what you’ve got, constantly reassessing your defences (including the training of your staff), and watching out for and adapting to new threats.
And the same goes for content.
Do you have a particular cybersecurity pet hate?
So many. One is too much security. I subscribed to a news website a little while ago and had to create an account with a 16-character password with upper case, lowercase and special characters. I bet that the majority of people don’t have passwords that secure on their email accounts or online banking. Yet the only thing it was protecting was my reading history (IT stuff)—not even payment card details.
Security theatre can be a big problem—we’ve written a blog on the topic. You want to know your information is secure, of course, but you also want to know that the measures in place are appropriate for the data being gathered. It’s sort of like the boy who cried wolf. Implementing too much security is not only annoying for users, it can also motivate people to cut corners—and things like reusing passwords are still a big problem.
Do you find yourself writing the same things year after year?
Yes, absolutely. I remember being surprised when I first learned about how long most breaches go undiscovered. And how many are discovered by third-parties. Likewise, about how many people click on phishing campaigns. Now when I read about those things it just seems normal. I’ve lost count of how many times I’ve written about the importance of segmenting systems, using encryption, implmenting strong authentication and regularly testing defences.
What’s the most interesting thing you’ve learned about cybersecurity recently?
We’ve been doing a lot on 5G security recently and that’s been really interesting. It’s such a new topic that the only source we could find was technical content from manufacturers and organisations like the GSMA. A lot of that was hard going, but it was very satisfying when the clients were happy with what we wrote and their engineers and legal teams made very few changes.
Does writing about cybersecurity get you down?
Technology has enormous potential to do good and improve peoples’ lives. That would be so much easier if we didn’t have to worry about security. But sadly, I don’t think that any tool is going to make that happen—it’s got much more to do with macroeconomics than technology. So that day is a long way off.
On the one hand, it feels like we’re at a real nadir at the moment. Security tools have moved on a lot, but innovation is so fast, so varied, that consumers can’t keep up. And so, lots of people are worried about their toaster secretly having a microphone built in and sharing their most personal conversations. Really they should be worried about things like people using social engineering to find out things about them then carrying out sophisticated phone scams or getting them to click on a link and exposing them to malware.
Who would you like to write about security for?
There are lots of companies. IBM does some great content, as do several of the big consultancies like PwC and EY. But actually, most of all I’d like to work with an industry body with a few vendors as partners. Combining lots of ideas and different opinions with lots of data. That would be fun.
Posted by John on 5 April 2019