As a Chief Information Security Officer (CISO) in today’s business world, you wear many hats. You’re a business-unit leader: managing your team to ensure that your business can continue and thrive in a secure fashion. You’re also a technology leader: understanding your business’s tech so that you can provide ideas, innovation, and direction to incorporate security into corporate systems.
In order to successfully carry out both of these roles, you must prioritize communication across all organizational levels. Here’s how to communicate upwards to your bosses and boards, laterally to peers in other departments, and internally to your managers and staff.
CEO and Board Communication
To be an effective communicator to the CEO and Board of Directors, you need to reduce the barrier to entry for understanding technology and security. Few senior business leaders outside the information technology (IT) organization will understand the importance of “continuous and adaptive authorization and authentication in order to further zero-trust architecture goals,” and we should not expect them to. Instead, we could articulate a “frictionless login process, without passwords, that is more secure and increases staff productivity.”
I’ll be the first to admit that the latter phrasing doesn’t satisfy my inner cyber-geekdom, and it doesn’t tell the entire story. What it does do, however, is allow your leaders to understand what you’re trying to do, build their confidence, and open the door for further conversations. In fact, that is why your organization needs a CISO in the first place.
Peer Communication
To effectively communicate with peer business leaders outside the IT department, you need to understand their priorities and be able to offer — and explain — security solutions that help them meet their business objectives. The leaders of marketing, finance, and sales all have important goals that they need to accomplish, and cybersecurity can enable those goals. Taking the time to understand those goals and help them reach them, in a secure fashion, will go a long way toward enabling the security team to meet its own goals.
One caveat: As you are communicating security needs and options, make sure to avoid using fear, uncertainty, and doubt, affectionately known by the acronym FUD, to scare the people in your organization into securing their data. It may be true that people across the business do not know and have not seen what you are up against in the security threat landscape. It also may be true that advanced and capable adversaries are actively searching for any hole in your cyber defenses. While thwarting those adversaries should be near the top of your business objectives, it is not one of the top areas of focus for the CFO. You should bring calm and order – not terror and confusion – to these leaders. Fear will breed overbuying, which will run up costs, and it will likely put a damper on openness to new technology and innovation, so don’t lead by communicating about security through FUD.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Team Communication
As a successful CISO, communicating with your team is the main conduit through which the actual work of security gets done. Let’s face it, your days of programming firewalls and examining packet captures are probably over. Even though it may sometimes feel as though it’s easier to do those things yourself, as a leader, your job now is to communicate goals and outcomes and coach your team to success.
Keep in mind: There is a fine line between not sharing enough information and overburdening your staff with so much information from across the organization that it can’t sort through it all. Packaging your knowledge in a cogent message that provides the business outlook necessary for the security staff is an important part of a CISO’s role.
Providing that message effectively, through the lens of cybersecurity supporting business outcomes, is integral to accomplishing the communications objectives to other parts of the organization that we discussed in this analysis. The idea that cybersecurity is a business enabler and not the “organization of no” will likely be seen as a shift in your staff’s culture. Effectively making that shift requires not only verbal communication but also modeling the behaviors you expect from your staff. You need to talk the talk and walk the walk.
In a previous role, one of the managers on my team had a particularly difficult time getting her staff to accept the shift to a more customer-centric approach that I was pushing for. No matter how much I addressed it with the manager individually and with the staff as a group, I was still hearing reports that security was the “organization of no.”
Then, during a coaching session with this manager, an episode with a particularly difficult customer came up and I could see glimpses of the very same attitude that we were trying to eliminate. And, despite her talking the talk with her staff, she was not “walking the walk” to make the culture shift I was looking for. We talked about the effects of commiserating with staff and how we needed to model the behavior we were looking for. It did take some trial and error, but we were able to get her to make the necessary shift which led to her staff falling in line.
This demonstrated very clearly the importance of practicing what you preach in order to effectively communicate with your team.
Final Thoughts
Most of us did not get into cybersecurity because we wanted to think about organizational dynamics and effective leadership through communications. But, as CISOs, we need to lead our businesses and people through the challenging task of securing our information while making sure the core business of the organization continues and we are communicating effectively at all levels. These skills do not come naturally to most of us. Keeping deep thought, consideration, and empathy top of mind, on a daily basis, will ensure you are delivering the proper message — and strengthening relationships — throughout your entire organization.
Want more cybersecurity insights? Visit the Cybersecurity channel:
