In the opening barrage
(https://www.infosecisland.com/blogview/17677-EntSec-Not-Business-Relevant.html),
I suggested the greatest sin of security professionals is not using
their skills to produce better product for the Enterprise. Both
internal and customer deliverable product. My second point, and the
topic of this post, was stated as "Security needs to provide product,
service, and visibility to the core business" and in retrospect that
was possibly the worst way of saying "Security needs to be a selling
point for all products and services"..

Now that we've decided we're going to engage our skill set through
side-channels to help our Enterprise deliver better product, increase
our business relevance, and integrate ourselves into the development
lifecycle we're going to ~market~ our new-found Enterprise Religion to
the outside world. Marketing and Engineering won't like this, I can
almost promise that. However, when those same exact people are
customers elsewhere they fall prey to market-speak about security like
the infamous 'Military-grade encryption' gambit. So it's time we take
back our own marketing and talk about security and privacy as we
expect our own family members and professional counterparts to
practice it.

I don't know a better way of expressing this than through hypothetical
examples...

Lets say you're Zerocks and rolling out a new multi-function
copier/printer/fax/bagel toaster. Don't be afraid to talk about how
you've integrated security into the development lifecycle. Right on
the one/two page PDF put information on where they can find out about
your privacy policy for support, your security contacts for reports
and questions, your downloads for security errata. Just like the total
page lifecycle and failure rates are stated, make sure your security
message and availability is provided. You work 24/7, monitor your
email, stay up hoping not to see your company name on Pastebin.. let
them know exactly how hard you work for their security. Everyone is
going to suffer escapes, and just like technical incident response,
it's how you communicate and make yourself available to customers that
defines how they'll react to you in the future.

Now you've moved on to Jawbohn and you've created a new-fangled
bluetooth enabled health recording device. What's the security model?
How do you wipe the device? Is your on-line portal for syncing to say,
Nyke, tested regularly for vulnerabilities? All of this needs to be
clearly documented, turned into standard work, and integrated into the
marketing and support workflows across the Enterprise.

Insist on it. Insist.

I'd go so far as saying if you're interviewing for new employment talk
about these ideas and see how receptive a new employer is to raising
the visibility of their Enterprise Security department.

If you get pushback, approach it from the same perspective that
Engineers would for an Industrial product. Have you increased fuel
efficiency? Interval between regular maintenance? Etc.

In reality you've done exactly those type of improvements through your
integrated security lifecycle and participation discussed in the prior
post. Start, with humility, to take credit for it and communicate it
pervasively. This stuff matters to customers, it really does. Now, I
know that Sony and others have seemingly gotten away with massive
escapes, but that tide has shifted. It may not have reflected in stock
prices yet, but if you wait until it does, you've waited too long. It
can be a competitive advantage now and, in particular, with the key
tech and privacy savvy influencers of families, Universities, and
classmates. Respect of a brand can carry with someone through decades.
It's my belief that if you influence through Enterprise Security that
you will attract a better breed of customer and customer loyalty. This
is a worthy selling point and worth marketing. And you still don't
have to shave or put on shoes to do it.

We need a bigger piece of the proverbial pie, we simply must have it
(1), and I hope you agree that my rambling musings can help you slowly
get a bigger cut for your Enterprise Security department.

Cheers, -Ali

(1) Daniel Geer and Peter Kuper:
http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf