I stumbled across this article this morning in my Twitter feed: Richard Berman Energy Industry Talk Secretly Taped (Hat tip to Phil Plait AKA @BadAstronomer) The ethics of the actions described are certainly up for debate. That's not what I want to ponder with you this morning. What I do want to ponder is how the ven diagram looks for Social Engineering, Marketing, and Public Relations. I think it looks kinda like this when you look at everything at the same scale:
You can see I think that there is a ton of overlap among these skill sets when you adjust for scale. Social engineering is generally a targeted activity, e.g. spear phishing or pretexting phone call. However, regardless of scale, the objective of all three areas is the same: Influence someone to do or believe something that benefits another.
So what does that mean for information security professionals? I think it means that as we draft our strategies to defend against social engineering attacks we need to make sure that the Marketing and PR Departments have a seat at the table. Make friends with those folks. Understand how they go about influencing the masses to purchase the goods and services your organization offers. Then consider how you would use those techniques to sell malware or elicit information from a single target rather than a larger population.
Let me know what you think in the comments.