People in the security industry love to make predictions, particularly at year-end. From security journalists to CICOs, everyone seems to have an opinion about what the top security trends will be in the coming year and are eager to publish them. 

Less common are reflections on the year that was - because that requires examining what may have gone wrong, or should have been done better, or even realizing that many previous predictions failed to materialize. Don’t get me wrong, prediction lists are fun and help fill digital space during a traditionally slow news cycle. 

However, for myself, I think it’s more useful to share what I’ve observed through my work with clients over the previous year. Although there are a lot of things I could highlight, I’ve identified three patterns I observed the most often in 2023, and why you should resolve to address them in 2024. That’s right, I’ve made your New Year’s resolutions for you! You’re welcome.

Most incident response communications need a makeover, stat. 

I’ve been surprised at how many organizations in 2023 were still executing incident response comms the same old way. Which is to say, by trying to put lipstick on a pig rather than being as clear and transparent as possible. It’s understandable - corporate communicators are often in charge of incident response crisis comms and they believe less is more in preventing panic and minimizing press attention. However, this inevitably comes back to bite you and hurts your credibility, often more than the impact of the original breach. So when an incident occurs, rather than saying something that tries to trivialize the event, like “only 1% of our customer base was affected,” (if you’re a medium to large organization this is still a lot of people, and journalists can do the math), put out an honest statement. 

The reason “silver lining” statements are a problem is that they often come across as apathetic and you will no doubt discover something later on that makes that statement untrue. So then you hurt your credibility and in turn generate another news cycle. To be honest, negative press stories are not the end of the world for most companies and sometimes the prudent choice for a business is not to fight. But high profile, drawn-out, and repetitive news cycles are distracting for your customers and your team – and they can lead to even more resources being diverted into regulatory or legal investigations. Sometimes not being popular with a specific journalist is simply the cost of business. Sometimes it’s the fastest way to a Congressional inquiry. What you say matters.

I recommend organizations of all sizes do an inventory of their IR comms and process to identify where they can improve. Spoiler: approaching security incidents with the traditional expectations of crisis comms, namely that incidents are unexpected, and have a clear beginning and end, is going to cloud your decisions. The most effective IR communications process is part of a long term strategic program focused on demonstrating empathy, competency, and collaboration. You can’t expect anyone in the security community to have your back if they don’t know what you’ve been working on. Good IR communications also help reduce the impact of high profile incidents on your recruiting efforts. 

Remember that with any kind of IR communication whether it’s in response to a bug bounty report gone sour, a high profile breach, or a third party 0day, you will have a finite amount of space and time to get your point across to the people who need to hear from you. So, consider strengthening high level statements with technical timelines and references to your trust center, where all the artifacts and evidence regarding your security posture and response reside.  Don’t have one?  Read on.

Many companies don’t have a trust center. That’s a mistake.

A lot of the stress and communication errors that occur when a security incident happens can be avoided or mitigated by having a trust center up and running before things go sideways. Yet, I observed far too often in 2023 that few organizations have one, or if they do, it’s incomplete or exists solely for the purposes of customer procurement. Sorry to say that certifications and attestations aren’t meaningful communication tools in the wake of an incident because we all know compliance != security. 

To be clear, a trust center isn’t going to prevent every incident (although it can help prevent avoidable incidents caused by gaps in what you say vs what you do, discussed here), but it’s going to make it a lot less painful for you when you have an issue. By having essential information about how you protect customer or other data publicly available, you can point journalists, customers, regulators, and others to that information immediately, rather than having to bird dog it from different places in your org and pull it together in a cohesive package in the middle of a fire. If you don’t have this information readily accessible, reporters will fill in the gaps with their own imaginations, and they have very vivid imaginations (as do all the security professionals not on your payroll who consistently speculate in the press about everyone else’s incidents).  

By responding to inquiries with a clear and honest IR comms statement and appropriate links to existing resources on your trust center, you are proving that your company invested in security before the incident happened. It’s a timestamp that will serve you well.  We build trust centers for clients often and would be happy to share more information with you about the elements that would be most valuable for your organization. At the very least, we recommend all trust centers include information about: 

• How you handle user account security - passwords, MFA, SSO, risk-based friction, marketplace monitoring, account recovery, etc. 

• How you protect data at rest and in transit

• How you are using encryption in your product and infrastructure, and what those protocols are with explanations of any tradeoffs 

• Technical mechanisms that govern data practices (privacy policies are just words, prove you can build a respectful system)

• Disclosure around access controls

Another important benefit of a well-done trust center is that both customers and prospects will better understand what you’re doing to protect them and that you proactively shared this information. 

A lot of security marketing is homogenous, not reality-based, and everyone is tired of it.

As part of our work with clients, we conduct focus groups to test messaging with a target audience. I believe going out with untested messaging is foolish, particularly today - when most security marketing sounds exactly the same.

In 2023, I observed this in several ways, including through industry events, social media, and direct client work. But it really hits me when I do focus groups to test messaging. Whether the target is a CISO or some other buyer in the decision chain, I heard the same complaints over and over last year:

• They hate it when a company claims their product will solve all of their security problems. This isn't credible because it just isn’t possible. There are a lot of very different and nuanced problems that different security teams deal with, across organizations and industries.  When your message claims to address all of them, you lose credibility. No product will stop all breaches. Stop saying that.

• A related complaint: security professionals can’t tell from your website messaging what your company or your product actually does do. Again, many look alike, and use the same descriptive words. Much of this is because security companies use vendors to build their messaging and website that have no security experience. They are viewing the copy through the lens of what they think sounds good, rather than what the prospect needs to know.  And, they fail to test these messages before publishing web copy.

So testing messaging doesn’t happen nearly enough, yet it pays for itself hundreds of times over in the long run. However, you need to test it with the right target, which leads me to a related observation from 2023: many security companies simply aren’t honest with themselves about who their buyer is. Most assume it’s the boss, the CISO - and sometimes it is, but many times it’s a director or line manager further down in the org. This person is who will actually use your product day to day and will advocate for budget from the CISO to buy it, so that’s who you need to convince. This means your messaging has to be more technical and more precise.  

Knowing your customer and testing your messaging with that target are two critical steps to take before you go to market.

Your 2024 Resolutions

Instead of chasing trends and predictions, I recommend taking a close look at the elements I’ve outlined today.  Perhaps you’re totally on top of your IR comms, your trust center, and your messaging. Great!  But based on the last year and my experience, most companies have some work to do in one or more areas. So to recap, in 2024:

• Commit to a through review of your IR comms, and resolve to make them clear and honest

• Resolve to build a trust center!  Or if you already have one, make sure it’s complete, easy to find, and routinely updated

• Make a never ending resolution to test your messaging with the right target audience.  This can be done for new product launches, a marketing campaign, or website copy and design. No more flying blind.

As always, we’re here to help.  Be sure to check out our mailbag questions, blogs, and case studies for insights and tips on these topics and more. 

Here’s to a great 2024!