How can CISOs strengthen communications with cybersecurity staff?
Miguel (Mike) O. Villegas
Founder iSecurePrivacy LLC | CISO TRISTAR | CTO/CISO @ XAHIVE | CISA | CISSP | ISO 27001 Lead Implementer | CEH | CDPSE
Question: There's a lot of information available about how CISOs should communicate with their peers and superiors, but what about the cybersecurity staff that works under the CISO? How should CISOs work and communicate with their employees?
Source: Searchsecurity.com - https://bit.ly/2mBHka8
The CISO is key to the success or failure of the information security program. Depending on how he deploys the program, communicates with executive management, is viewed by business units and handles issues, the CISO can enable a strong program that meets the cybersecurity needs of the enterprise. Supported by an effective cybersecurity staff, there is much that can be achieved.
Cybersecurity staff members are a reflection of the CISO. Whether intended to or not, employees will emulate the CISO's resolve, focus and commitment to the information security program. His work ethic will also rub off on his staff.
None of this is achievable without proper communication. Without this, employees who do not trust their CISO or don't know what is expected of them will rarely perform to their potential.
A CISO's communication with employees needs to be honest. The CISO needs to show respect for employees and, in building trust, they will show deference to his position and loyalty.
Employees who are not loyal are unlikely to build an inventory of satisfied enterprise personnel, such as business units, IT staff or management. The staff will wind up working increasingly for only one thing -- a paycheck.
To improve and channel the right CISO communications with cybersecurity staff members, institute the following:
- Staff meetings -- Schedule weekly meetings to communicate how the group is doing as a whole. Go over action items from the last meeting. Go around the table and have each staff member say what he or she is working on, challenges they have faced and accomplishments from the previous meeting. Recognize staff accomplishments, ask for opinions on staff challenges encountered during the week, allow group interaction to solve a problem (even if you already know the answer), and make the open discussion pleasant and fun, but constructive. Never embarrass or reprimand a staff member during staff meetings, but do take control of discussions if necessary. Do not go over an hour for each meeting. If you are consistent, the staff will believe you will keep your word on other matters.
- One-on-one meetings -- Meeting with individual staff members need not be formal or scheduled necessarily, but the CISO needs to have these meetings at least biweekly. These are opportunities to talk about personal goals, challenges and counseling for improvement. This is the time to reprimand and correct, where it was not appropriate during staff meetings. Never leave this meeting without a goal or assigned task in anticipation for the next one on one.
- Hidden signals -- Pay close attention to body language, unspoken messages, requests for help and morale. Bring these up during the one-on-ones, but raise them during staff meetings if they involve the entire group. Take staff member input seriously, and make others know that what they contribute matters.
- Staff areas -- Walk around staff cubicles or work areas and let them see your interest in their everyday activities. This personal contact strengthens the CISO's relationship with each cybersecurity staff member and builds trust. Occasionally, go to lunch as a group away from the office.
- Recognize staff members -- Do this openly in meetings. Recognize staff member accomplishments in other department meetings and management meetings. This gives staff members a sense of contribution and purpose.
- Staff evaluations -- Never be late in performing formal individual staff evaluations. Staff need feedback on their performance, personal goals and areas for improvement. This is important, since it has a direct bearing on raises and upward mobility.
- Share departmental goals -- It is not enough to communicate departmental goals such as growth, tool acquisitions, training or key performance indicators. Share your perspective on where the company is headed, without compromising what is strictly meant for management. Tell your staff how the goals could impact the group as a whole, and assure them that you always have their best interests in mind.
- Follow up -- Keep notes on each individual. Jot down the essence of the previous meeting so they know you were listening and care about them. Give yourself reminders so that they know you did not forget what was discussed.
The key to strengthening cybersecurity staff communications is to be authentic and genuine. Let them see your vision, passion and commitment to them and your profession.
Do not manage your staff; manage projects. Lead staff by example. Keep an open door policy and you will cultivate loyalty and better communication with your staff.