Branding is “the art of aligning what you want people to think about your company with what people actually do think about your company. And vice-versa,” says Jay Baer of digital marketing consultancy Convince & Convert.

That seems a cogent description. But whatever your definition and there are plenty, branding’s all about short cutting the decision making process so consumers can make an informed choice because they know what they’re getting.

It’s for this reason that global research agency Millward Brown calls brands ‘trustmarks’.

So show someone a well-known logo – Apple, Cadbury’s, NASA – and they’ll immediately ‘feel’ something. How ill-defined or nebulous that may be will depend on whether they are the audience or not.

And it’s not just organisations as a whole that have a brand identity. Particular functions within them do also. This includes information security.

So, if you want people to ‘buy into’ your information security as a brand, then you must create the perception that what it offers is worthwhile to your ‘buyers.’ In other words, that it should be seen as a priority in an organisational ‘marketplace’ filled with competing messages and ideas.

The five brand components

In their paper Brand Experience: What is It? How Do We Measure It? And Does It Affect Loyalty?’ researchers at Columbia University break brands into five component parts.

  • Sense – the sensory or aesthetic qualities of a brand. This is more applicable to physical products, less so to an ‘intangible’ like information security.
  • Feel – the moods and emotions a brand induces. To many, information security engenders negative rather than positive feelings.
  • Think – how a brand stimulates our imagination and intellect. While some may consider information security as a challenge, others might see it as something not worthy of their attention.
  • Act – this is our behavioural reaction towards a brand. One of our primary motivations is to either move toward something or away from it. Information security often evokes the latter response rather than the former. That results in a lack of engagement.
  • Relate – this involves the social context of the brand experience. This could, for instance, see tribes within an organisation thinking very differently about information security.  

What are the perceptions attached to your ‘information security brand’ currently?

Branding by default

Unfortunately, brand identities all too easily arise by default. This happens through the gradual, unplanned accumulation of historical managerial decisions, unsuitable employee hires and random events. Together these unconsciously create a culture, personality and group-think that determines the way an organisation in part and as whole is perceived.

This potential for accidental branding is why major companies to work so hard to create and protect their brand from contamination, something that can still all too easily happen in an instant – just think United Airlines and the unfortunate Dr Dao.

So, as someone responsible for information security, through such ad hoc evolution – the result of many things you have had no direct control or influence over – you have probably inherited a less than perfect brand.

And since a brand only has value when it helps others to think in the right way about you, if it’s not doing this, then you may need to consider re-positioning it.

Repositioning information security as a brand

What does repositioning a brand involve?

One. Deciding how you now want your brand to be seen. Without a clear picture of the values and other ‘intangibles’ that define it, you won’t going to get very far.

Two. Determining the ‘negatives’ that currently compromise it and starting to ‘dilute’ them to the point where they are under control or don’t matter.

Three. At the same time, start attaching the ‘positives’ you want to associate with your brand. Again, it’s likely to take a while before old memories are erased and these new associations stick.

Four. Identifying all customer touch points and making sure that your brand values are reflected at each. Only this way will the customer experience be consistent throughout. This includes ensuring that everyone in the ‘infosec team’ does their job and interacts with others in a way that reflects these new brand values. By the way, watch out for another blog from us on ‘personal branding’.

Five. Monitoring what’s happening and making changes as necessary based on the actions of your customers. Remember, branding has no purpose if your customers and clients don’t respond in the way that you want.

Six. Continually communicating information security’s brand values through awareness and education campaigns. Branding is not a one-off event but an on-going exercise.

Auditing your information security brand

Of course, while you can embark on your own branding exercise, it’s often much easier and more successfully done with the fresh insights of a third party – the reason why companies across many sectors turn to Marmalade Box for a brand audit.

Our brand audit will enable you to strategically review how your ‘customers’ see information security as a brand, which is the vital first step in reshaping their whole customer experience. Why not contact us to discuss your branding challenges further.