How can you build a brand for the security function that helps to reinforce secure behavior across the business?

Credibility and being a business enabler are indeed important. As for the actual branding, we've created a character - a fish - that we use in our campaigns and communications. It's got our colors and we've built a whole storyline around it. This adds to the branding and mixes seriousness with a touch of comedy.

One of the key elements is customer support. We need to ensure our customers' information remains secure and that they trust us. To build the brand, we need to communicate the accomplishments of the security function regularly. It's not about boasting, but about informing. We need to be available to answer questions as they come up, as people often have uncertainties due to media reports. Cybersecurity needs to be seen as an enabler of business functions, not a roadblock. It's about risk management and communication of those risks to leaders so they can make informed decisions.

In addition to being knowledgeable, it's crucial to be accessible and friendly. If people don't want to talk to you, then you've lost. It's important to be approachable, as it's a risk to be brilliant but unapproachable. Encouraging open communication is vital. When staff reach out, it's important to assure them they're not a bother, but rather they're doing you a favor. Rewarding employees who are doing what you want them to do is crucial. Being humble and relatable helps keep lines of communication open.

Establishing credibility is key to building a brand, whether it's internal or external. This credibility is often derived from being a subject matter expert. It's disappointing to see people in trusted positions with mediocre knowledge, often regurgitating content from online forums without truly understanding the subject matter. To build a strong brand for the security function, you need to be an SME and maintain that status.