Security Advocacy Shouldn't Be for Security Professionals: An Analysis of How the Industry Misses the Mark and How We Can Improve

Call it what you will, security advocacy/evangelism/devrel content such as documentation, talks, demos, videos, etc. is usually targeted at other security professionals within the industry. Great, isn't that how this part of the industry works? One professional advocating to others in the same field?But security advocacy is different. Security advocacy is needed by all parts of IT and arguably, all parts of society. The old trope of "security needs to teach devs to be secure for DevSecOps" is still relevant, but what about SMBs and even individual, everyday people on the street?In this talk, I will present analysis and research of past and present security developer relations and vendor content from all over the globe. I will demonstrate how most security messaging from this content is missing the majority of the intended audience and why this is causing content creators - whether they be dev rel, advocacy or vendors - to not have as compelling content as they may think they do. I will break down a few examples of security content to illustrate my points and I will analyze how these could be improved. The audience will leave with an improved awareness of this gap in security content targeting and strategies to redesign security content to be relevant to a wider audience with minimal effort and to plug said content into more communities so they can consume it.