Introduction
In the 80s hit song Here Comes the Rain Again, Annie Lennox, one part of the then famous pop group Eurythmics, sings despairingly with her ex-lover-turned-band mate Dave Stewart: ‘Talk to me like lovers do!’. Melancholy aside, this line, representing the need for communicators to be on the same page, explains the need for an individual crying out to hear and be heard, understand, and be understood.
In the corporate world, this need could not be more amplified, as countless conversations take place between company executives and stakeholders, C-Suite members, management and employees, and colleagues at all levels. In the highly dynamic world of cybersecurity, for reasons ranging from costs, safety, revenue, reputation, workforce engagement, and indeed, the very existence of the business, it is also a need that cries out to be constantly fulfilled.
The CISO and CISO-speak
Sitting at the helm of cybersecurity activities in an organization is the CISO, whose role as an influencer in various capacities is being increasingly felt. Once the head of a function deemed to be a cost center, the CISO of today is often thought of as an important member of the board, the face of the management team on compliance and security matters, and the digital architect of the organization. Many would place him on par with even the CEO and the CFO, given the custodial nature of his responsibilities.
When seen from this point of view, ‘CISO-speak’ assumes tremendous significance.
Conversations with a CISO
Just as the success of a CISO depends on many factors, noteworthy amongst them being the success of his team, so too does the effectiveness of his communication depend on many factors. Important amongst these is the persona of the CISO himself. Dark Reading(1) categorizes CISOs based on their orientation as:
- The Business-minded CISO who is concerned about results, revenue, costs, efficiency, corporate image, and the like
- The Compliance-minded CISO who primarily concerns himself with ensuring that statutory obligations and compliance requirements in cybersecurity areas are met
- The technically oriented CISO whose preoccupation with technology and solutions very often defines the direction of his efforts and dictates the content of his communication
How CISOs are communicating today
The increasing concerns about cybersecurity because of cybersecurity incidents and data breaches have made the role of the CISO, and his communications with the board, extremely sensitive. Yet despite the growing influence and the clear importance of the function, studies available today tend to show that there is still some distance to go for the role to be appropriately recognized in C-suite circles.
Despite channels opening up for them, most CISOs surveyed say that they report rather infrequently to their boards, with more than half of them making reports only on a quarterly basis(2). Many CISOs say they do not have the full support of their boards. Proofpoint indicates that CISOs are experiencing a diminished level of support from their boards – this year only 51% felt they enjoyed their board’s support, compared to 71% last year. Many CISOs feel they struggle to convince their boards on technical issues, often having to ‘educate them rather than communicate.’
Research by PwC however shows that the CISO’s dissatisfaction quotient is mutual when it comes to the board members, who often feel the former’s communications today are rather too heavy on technical jargon and details.
Enabling the CISO conversation
Though it’s impossible to have a ‘one size fits all’ template for CISO board communication, many experts are of the opinion that a radical change in the way CISOs communicate may be necessary. Andy Ellis, advisory CISO for Orca Security who spoke at the recently concluded RSA Conference says ‘CISOs need to tighten up their language’, while Joseph Carson, chief security scientist, and advisory CISO at Delinea opines that CISOs stand to win support from their boards by taking a conscious approach to ‘measuring themselves and communicating about business outcomes’, rather than talking ‘attack metrics and precise technical details.’
Given the results from exhaustive analyses on the subject by leading experts, it seems a good starting point for effective CISO communication may lie in the reporting of cybersecurity experts to their CISO before he embarks on his board communication.
Getting the conversations right
Given the many areas of the business that are impacted by the CISO’s field of operations, Cybersecurity executives would do well to ensure their presentations to CISOs address all possible areas of concern. A cybersecurity project proposal for example needs to address the entire gamut of business areas like technology, processes, costs, timelines, resources, security, controls, employee engagement, and results. They should also carefully craft content to ensure it is aligned with the CISO’s persona. The business-minded CISO is most receptive if the cybersecurity executive presents a project as a business enabler; security aspects like data privacy and compliance with various standards may hold special appeal for the compliance-oriented CISO; and the technology aspects of a proposal like architecture, infrastructure, and processes can be highlighted for the technology-driven CISO.
It stands to reason that such presentations by the cybersecurity executive would follow consultations and discussions with experts from various disciplines – finance, legal, cost control, HR, IT, and even C-suite executives.
Conclusion
Though hard-core business executives, and notably CFOs in particular, will evaluate the CISO for what his contribution brings to the table in terms of business outcomes, there is no discounting the importance of effective communication from the CISO to the board, and from the CISO’s team to the CISO. Given the maturity of the industry and the competence levels of cybersecurity teams today, the content of the communication is often good—but a shift in the language that is being used at every level is needed. Business risk rather than cybersecurity costs. Business outcomes in lieu of cyber protocols. Business stories over attack graphs. Reputation loss instead of cyber measures.
Too hard to implement? Not really. One fundamental truth is worth remembering when it comes to communication – people do like to hear what they want to hear. And when that resonates in the business sense with their purpose and objectives, it half the battle is already won.
With the angst gone in the CISO’s office, the melancholy Here Comes the Rain Again might give way to the uplifting Beatles favorite Here Comes the Sun!
Discover the unstoppable power of DEFEND and PlurilockAI, the ultimate AI-generated tools that crush security threats.
Get in touch with sales@aurorait.com or call (888) 282-0696 to experience the unmatched protection that Aurora, a proud member of the Plurilock family, delivers through these groundbreaking solutions.
References
- https://www.darkreading.com/vulnerabilities-threats/how-to-talk-so-your-ciso-will-listen
- https://www.darkreading.com/edge-articles/how-cisos-can-craft-better-narratives-for-the-board