As a Chief Information Security Officer (CISO), I've walked the tightrope of cybersecurity, balancing the technical realm and the boardroom's strategic discussions.?
The bottom line is that I have failed at it plenty, so I made it a point years back to focus on learning to improve communications.?
I spend my time working with CISOs, CIOs, CEOs, and Boards, helping identify, manage, and secure their organizations, and most importantly, how everyone should communicate better.?
- Overloading with Technical Jargon
- Failing to Align Security Goals with Business Objectives
- Not Understanding the Audience's Perspective
- Not Influencing and Persuading
- Missing out on building strong relationships
- Not adapting communication style
Over the last year, I have worked with younger CISOs, men and women in the CISO role for the first time. I have also worked with mid-career CISOs; both groups struggle with understanding how they communicate.?
This is not a criticism– just an observation–it's been very consistent.?
CISOs need to think of themselves as business executives, weaving narratives linking cybersecurity initiatives with broader business goals…instead of being cyber weenies.?
The transformation from tech-savvy expert to influential communicator doesn't happen overnight. It's a skill you need to focus on.?
Here are eight suggestions to get you on the path to better communications
- Prioritize Clarity in Communication: As a CISO, it's essential to distill complex cybersecurity concepts into clear, understandable language. This ensures that non-technical stakeholders can grasp the significance of security measures and cooperate more effectively. For example, instead of saying, "We need to implement end-to-end encryption," explain, "We must protect our customer data from unauthorized access to maintain their trust and comply with privacy laws."
- Develop Strategic Storytelling: Craft compelling narratives around cybersecurity initiatives to secure buy-in from top management and board members. Use storytelling to link cybersecurity efforts with business objectives, like illustrating how a proposed security investment can prevent potential financial losses and protect the company's reputation.
- Enhance Crisis Communication: Effective crisis management communication is critical to maintaining trust and authority. Develop clear, concise, and direct messaging during cybersecurity incidents to ensure stakeholders are informed and reassured. For instance, in a data breach, quickly communicate what happened, what's being done to resolve it, and how it will be prevented.
- Engage Stakeholders Proactively: Identify key stakeholders and tailor communication strategies to their concerns and expectations. This involves regular updates and interactive sessions where stakeholders can express their views and understand the cybersecurity landscape. For example, quarterly security briefings should be held with the board to discuss current cyber threats and the company's defensive strategies.
- Leverage Data in Decision-Making: Use data to underscore the necessity of cybersecurity investments and strategies. Presenting cybersecurity risks and solutions in a data-driven format makes the information more tangible and persuasive. For instance, statistics and trends can be used to demonstrate the ROI of cybersecurity investments to the finance team.
- Bolster Your Leadership Presence: As a CISO, you should be seen as a trusted advisor in cybersecurity, influencing decision-making processes and advocating for necessary security investments. This means confidently leading and backing up your recommendations with solid data and industry best practices. For example, advise on how adopting a new security framework can mitigate emerging threats and align with business growth.
- Implement a Feedback Loop: Establish a mechanism for receiving and integrating feedback on your communication practices. This will help you continuously improve your approach and adapt to changing dynamics. For example, after a security meeting, ask for feedback on the clarity and impact of your presentation to refine future communications.
- Utilize Practical Tools and Strategies: Equip yourself with a toolkit of practical strategies, examples, and frameworks designed for effective communication in cybersecurity. This will enhance your daily role and impact as a CISO. For instance, use a well-structured incident reporting template that highlights key points clearly and concisely for quick understanding and action.
These are a few ideas that have been tried and tested, both personally and also with the Cyber MBA program I teach.?
The path from technical expert to strategic communicator is pivotal for a CISO, blending personal growth with professional development. As we tackle the complexities of cybersecurity, it's our ability to clearly articulate, engage, and influence that empowers us and our organizations.
What strategies or experiences have shaped your communication approach in the cybersecurity realm??
Virtual CISO for SMBs | Helping Companies Win Enterprise Deals | SOC 2 & ISO 27001 Expert | Former Security Director | Book a FREE Security Strategy Call
1 年Great stuff Geoff Hancock CISO CISSP, CISA, CEH, CRISC To complement your points, Lucia Milic? Stacy, JD and Dr. Keri P. share an interesting view in a recent HBR article Board meeting focus too much protection instead of resilience: " For example, in many board meetings, the primary topic is how often the company administers a phishing test and the statistical results. To us, that is the wrong perspective for board oversight. We know we cannot be completely protected, no matter how much money we invest in technologies or programs to stop cyberattacks. While spending resources to protect our assets is critical, limiting discussions to protection sets us up for disaster."
Hands-on Cybersecurity @ Access Point
1 年Great article, Geoff! From working with you every day, I’d say you practice what you preach here.
Head of Group IT/SAP | Strategischer IT-Leader mit praktischen L?sungen | Steigerung der operativen Effizienz
1 年Absolutely Geoff Hancock CISO CISSP, CISA, CEH, CRISC, As CISOs, our ability to communicate effectively can make all the difference in managing stress and enhancing team cohesion. ?? ?? Effective communication is paramount for CISOs!
Director, Cyber Ops Strategy, AF and CCMD BG @ SAIC
1 年So many great points Geoff Hancock CISO CISSP, CISA, CEH, CRISC . I would footstomp two points: 1. Cybersecurity is IN SERVICE to the Businesss goals. Fastest way to become irrelevant is not being an organizational executive first. 2. Build the feedback loop. You need a “trust circle,” people that will give you direct, critical feedback because they CARE about your and the organization’s success.
President @ PurpleSec | Marketing Leader | Cybersecurity Nerd
1 年I think proactive communication is key here. Getting ahead of projects and aligning teams towards achievable goals is one of the only ways work can be completed effectively. I do think data, for some, can be a double-edged sword. When you're deeply invested in a project it's very easy to get into the weeds. This requires focusing on top-level stats and tells the whole story verses puking all the stats at once.