As someone who works on content marketing, I am well aware that most information security professionals aren’t deeply involved in that space. I can also 100% agree that we’re probably pretty annoying to most of the cybersecurity professionals because we seem pretty useless in effectively mitigating responses. However, at the same time, most information security people find the c-suite lack of education perplexing and upsetting. The thing is, the more I work with companies, the more I realize that content writers can be useful mediators. And no, I really don’t mean, “golly I’m the best!” I do, however, mean that the right content makes everyone’s jobs easier - not just sales.
The Importance of Content and SEO To Cybersecurity for Business Leaders
So, whether we like it or not, the majority of people learn about new things from The Almighty Google. As we all recognize, this can be both good and bad. As someone who taught college research strategies for 11 years, I am still a little traumatized by educated people’s inability to identify good information.
Since most business leaders who don’t understand what the CISO or CIO are explaining will hop on the internet, marketing is also responsible for navigating that disconnect between business leadership and cyber professionals.
If you’re a CISO or CIO not interested in vendors marketing to you, I can 100% understand why. I get it. For the most part, we come across as schilling a product. That is totally fair.
However, every content writer looks to hit Page 1 Google. Google’s Mysterious Algorithms search for all the words that seem to match the topic’s headline. For example, apple can be either the fruit or the computer. So when Google’s Mysterious Algorithm scans the copy, it decides if the words are “red, seeds, trees” (thus fruit) or “operating system, iPad, iPhone” (for computer).
Moreover, most content writing is focused for business leaders so we’re hoping that we make things understandable for them
What Bad Content Looks Like
OK, I’m going to throw myself under the bus. When I started, I wrote a lot of bad content. I look back on it, and I have to admit, I 100% roll my eyes and call myself several NSFW names. Bad content includes a lot of words and links that ultimately tell you nothing. An example of terrible content:
A COBIT 5 certification requires a lot of information, time, effort, and manpower. Many CISOs worry that if they fail the audit customers will lose trust. However, whether formal or not, companies often follow these protocols because the industry recognizes them as standards.
Although the names of the framework have been changed to protect the innocent, the above is pretty much something I wrote when I first started in cybersecurity. And yes, I am holding my eyes in my head so that I don’t eyeroll them right out of the sockets. And y’all, I wrote this.
What Good Content Looks Like
Good content doesn’t just use buzzwords or stuff terms into it so that Google thinks you’re smart. Good content needs to have quality information as well as all of that.
An example of good content might be:
To increase the value placed on interdepartmental communication, COBIT 2019 provides a clear list of actions that need to be taken, how to communicate those, and between whom those communications should occur using the terms “input” and “output.”
So, this is more or less a summary of a summary. However, this one actually provides actionable information. A reader knows that the new COBIT values communication, suggests workflow, and uses specific terms. I can at least say, “whew, I didn’t entirely suck when I did this one.”
The Five Things Copywriters Need To Know and Do To Bridge the Communication Gap
The Basics within Verticals
Give them the information necessary about your product to make the connection between everything.
The more information your content writers can figure out (and to be honest, none of this is super duper difficult with time and research), the better they can not only explain a product but the more they enable business leaders to understand cybersecurity.
Your business leaders are probably Googling just as much as I did. And you know? There’s some TERRIBLE information out there.
The Fundamental Security Problems
Whether within a given vertical or not, most companies struggle with the same problems. Web application, ransomware, malware, and network security. This means that good content needs to address these in meaningful ways. Resources like the Peerlyst training programs can be a great way to give overviews. For example, this post by Karl M. provides a list of free trainings available and cybrary offers a free introduction to cybersecurity course. These can provide not only the needed background but also the required language to help locate keywords for further internet research.
How To Create a Risk Matrix
Taking a security-first approach to cybersecurity means being able to identify risk and determine its impact on critical business processes. However, traditional tech writers who focus on applications and devices may not realize that they need to learn this skill. Thus, while it seems obvious to most it security professionals, it may not be obvious to writers.
Moreover, one of the largest knowledge gaps between security and leadership lies in locating and articulating the location of the at-risk data. For example, many business leaders may not realize that their social media enabling applications, such as Hootsuite, count as a third-party vendor. When organizations use their content writers effectively, they can enable stronger conversations in these gray areas. If you’re a CISO looking to strengthen those communications, try looking for good content that explains data loss arising from social media use, costs of that loss, and then give it to your business leadership.
How To Translate Real Risk into Business Language
Even in terms of risk analysis, a high level overview can help business leaders understand the risk. According to one report, social media accounted for 20% of the most phished brands. The average cost of a data breach according to Ponemon was $3.86M. Thus, a good post should explain the social media risk in business terms. “A phishing attack via social media has a likelihood of costing an organization $772,000.” This quantifiable data enables you to give business leaders at least an opportunity of viewing the issue in their terms. If all the content says is “social media attacks were on the rise leading to greater risk of data loss” then it’s not good content - either for a vendor trying to sell a product or someone trying to understand potential risks.
In other words, theoretically, good content should be helping CISOs navigate these communications barriers by doing the research and making the information approachable to those who aren’t technical. That’s literally our entire job.
Making Cybersecurity Compelling and Approachable
Good content tells an interesting story. I’m a big fan of analogies to explain complex and, often, abstract ideas. A lot of online content either provides no information, too much technical information, or too many buzzwords. Whether you’re a vendor looking to create content or a CISO seeking to bridge the information gap, you want to find someone who can reach your audience.
A few years ago, for example, I wrote about how business leaders are like the defensive coordinators of a football team. Basically, they need to make sure that the team is effectively defending against cybercriminals with the SOC team being the defensive players. The c-suite’s oversight means that they’re taking in the information that their players bring them. The SOC team handles the defense and acts in the moment. Even in a football game, the best-laid plans may need to be changed as players respond to offensive strategies. This analogy makes sense to leadership since it gives them a real-world example with which they can connect (assuming they’re football fans).
This isn’t really an analogy that gives statistics. However, it is information that allows a reader to connect with the process. These analogies, of which I’m rather fond, put something most people find overwhelming into a context that they understand. My all-time favorite posts ever may not have been the best SEO’d, but they were the ones that taught information. I’ve explained healthcare data collection in terms of collecting Pokemon (gotta catch 'em all!) and cybersecurity regulations aligned with Hogwarts houses (the more prescriptive ones are, clearly, Ravenclaw - fist bump to my House). And let’s not forget that basically every cybersecurity professional and their continuous monitoring protocols are, ultimately, a Mad-Eye Moody (CONSTANT VIGILANCE!).
These are not only fun to write, but they’re also a great way to get the non-technical readers on board and educate them. Good content is compelling, approachable, and informative.
Who Can Use Content?
Pretty much anyone can use good content. The issue is finding it. CISOs who only read technical information and have a difficult time translating it for business leaders should start seeking out better ways to explain things. Vendors need to be part of that enablement by locating the best writers and cultivating them.
Like I said, I get it. Content seems like it’s just selling a product, and you’re right - it is. However, writers focus on their audience. That’s what makes us uniquely situated to enable stronger conversations. We’re not just marketers. When I left teaching, part of it was because, well, students were annoying me and the pay was pretty crummy. However, I also still wanted to make a difference. I firmly believe that content writers not only need to bring in business but that we have an ethical commitment to creating useful information that helps the cyber community.