CISOs play a critical role keeping a company's most critical asset — data — safe from both internal and external threats. But they're now tasked with the job of mastering executive communication, so they can both engage other C-suite members and give them a practical understanding of cybersecurity risk.
As noted by CIO, "tension" between the CISO and other members of the C-suite, especially the CIO, isn't always a bad thing. It's all too easy for CISOs to retreat behind technology-driven language and obscure metrics while other board members look on, unconvinced. How can these cybersecurity professionals change their delivery without compromising the message?
According to Infosecurity Magazine, the rise of the CISO is relatively recent. Five years ago, cybersecurity officers were technical specialists, but they didn't warrant seats at boardroom tables; today, the scope and complexity of threats to IT infrastructure make them essential. The result, however, is that many CISOs are unprepared to state their cases in front of executives with line-of-business concerns first and foremost on their minds. What works in speaking with IT department staff — for example, detailed threat reports and technical jargon — falls flat when speaking to other C-suite members. Why? Because without a business-specific, bottom-line context, the predictions described by CISOs often seem unlikely, overly dramatic and vaguely threatening.
As noted by Chris Wysopal, CISO and CTO of Veracode during an RSA 2015 session, CISOs "are essentially changing from control over a particular domain and staff to a role that affects real business processes on a bigger level." The result is a kind of pushback as other departments take issue with the broadening reach of CISOs. According to a recent Gartner report, entitled "Eight Practical Tips to Link Risk and Security to Corporate Performance," this is partly because organizations still take a siloed approach to risk assessment and management. What's more, this approach often causes a regression in the maturity of IT security practices as both individual departments and C-suite members fail to effectively communicate, lose focus on the end goal, and put too much focus on technological simplicity rather than security.
So how do CISOs develop effective executive communication skills? Wysopal suggests that, for CISOs, board meetings should be treated like "talking to your mom." While C-suite members are intelligent and business savvy, IT isn't their area of expertise. That means getting too technical too quickly virtually guarantees failure.
Instead, he recommends using plain language, no acronyms, visual aids where possible and preparing an appendix for any follow-up questions rather than trying to delve too deep in a single sitting.
Gartner, meanwhile, recommends CISOs develop risk-based approaches that clearly emphasize what type of IT security works, and what's missing the mark. Ideally, IT executives should avoid the use of operational metrics in favor of those "already packaged in a business context." This allows CISOs to answer questions of cost: how much protection will a given amount of IT spending buy an organization, and what's the potential cost of large-scale data loss?
It's also important to communicate process maturity. How effective are current IT security efforts at application, project and strategic levels? C-suite executives both understand and respond to this kind of language, making them more likely to internalize the information presented and approve budget requests based on CISOs' assessments.
Executive communication is the next big challenge for CISOs. It's not impossible, but requires a new approach: Being told about emerging security issues isn't enough — C-suite executives must "see" business value to appreciate the CISO perspective.
Want to go deeper? Check out the full Gartner report here.
Photo Source: StockSnap