Why NCA Exec Director Lisa Plaggemier assumes no one cares

Lisa Plaggemier hadn’t written code before, but her years in the marketing department taught her how to get people thinking about it.

The then-director of security culture at ADP Dealer Services (now CDK Global) had the task of getting the organization’s seasoned developers to enroll in application-security courses.

Her 2017 presentation, titled “They’re Just Like Us,” highlighted tech pros with impressive résumés—technical and language backgrounds not all that different from coders in the room. The only difference: Plaggemier’s examples were ones of criminals—a way to tell programmers that their adversaries had equal skills.

“Two of the other guys that I had picked, they actually had a company that was a DDoS-mitigation company by day, but then by night, they DDoS you,” Plaggemier told IT Brew.

Plaggemier, a former marketing pro at Ford Motor Company, knows the value of a good hook. Before pivoting to security at ADP, she was a marketing manager at the company. For under-the-radar but high stakes threats like cyberattacks, the ability to capture attention is especially important to Plaggemier, who is currently the executive director of the National Cybersecurity Alliance.

“Too many security people assume that because they’re passionate about security, and they care about this stuff, that everybody else cares,” Plaggemier said.

Go-to marketing strategy. Plaggemier began her career in the marketing field—first at Ford and then ADP, a company providing vehicle manufacturers with systems that facilitate a car dealership’s many functions, like part ordering and vehicle-purchase financing.

The marketing world is frequently an optimistic one, painting the rosiest, most Ford tough version of a product. When Plaggemier met ADP’s security team, she found individuals who share her more skeptical style of thinking.

“I met people on the security team, and then I realized, ‘Oh, these are my skeptics. These are my people who don’t trust anything at first glance,’” Plaggemier told IT Brew.

Lisa, one of the more tech-minded members of the marketing team, moved to the security side of ADP (by that point, CDK) in 2014 and gravitated to peers who translated the technical details of cyberthreats into easily understood language.

“Once I started to understand some of the concepts, I realized what a huge communication gap there is between security professionals and the rest of the world. Like, there’s this [cyber] war going on, it’s intangible and remote, nobody can see it, nobody can touch it. And the people who are in it all day struggle to communicate with the people that aren’t,” Plaggemier said.

Plaggemier ultimately ran awareness programs as threats like the Jeep Cherokee hack made headlines.

One common theme, as Plaggemier moved through security evangelist and educator roles, to where she stands now as director of the NCA, a national communicator of cybersecurity concerns: Assume that nobody cares.

“I have to get their attention, and I have to find a hook,” Plaggemier said.

Luring tactics include humor, like the NCA’s “Kubikle” series—a kind of cybercrime-meets-The Office effort. The episodes of the NCA-approved series, which began almost a year ago, average tens of thousands of views on its YouTube page.

And sometimes a good hook gets personal. When news broke that a state-sponsored hacking group from China hijacked home routers for a botnet, Plaggemier criticized news efforts to communicate the problem:

“They don’t paint the picture to the average citizen that there was a member of the CCP standing in your den where your router is. They didn’t make it tangible,” Plaggemier said. The NCA director is already thinking of ways to get those with devices in the den to understand the cyberthreat, perhaps in time for a Mother’s Day PSA. (“We were actually thinking, could we do [something] like, ‘I love you, Mom; here’s a new router,’” Plaggemier said, still brainstorming the idea.)

“My job isn’t to convince them that the glass really is half full. My job is to try to persuade them to change some of their behaviors,” Plaggemier said.

Half-full optimism? That’s more of a marketer’s term.