June 3, 2015 By Christophe Veltsos 3 min read

The role of the information security professional, be it at the chief information security officer (CISO) level or at the security analyst level, continues to undergo rapid and significant transformations. For years, security leaders have asked — no, begged — for a seat at the executive table. As an increasing number of organizations feature cyber risk reporting to the executive layers, security professionals at all levels must adapt to this new audience by developing an appropriate set of professional skills.

The fastest way to lose the attention of executives is to start talking in computer or security jargon. Most of us have likely experienced this, either because we were the ones communicating in such a manner or because we witnessed our own colleagues or bosses do so. How do we avoid confusing or frustrating the executives in our audience?

The Audience Matters

Security professionals and CISOs who have risen through technical ranks are very good at talking tech. And as long as they are talking to other techies, such use of jargon is not only tolerated, but expected. Yet if one spends just a few minutes eavesdropping on the conversations that executives have amongst themselves, one quickly realizes that the language used is casual, conversational and, in a word, understandable.

For the security professional, this new audience may appear to be conversing in a foreign language. You might hear them complain, “What do you mean I can’t talk about VPNs or IDS or SIEM?” The foreign language metaphor is a simple yet powerful representation of the difference in culture, expectations, vocabulary and grammar that one might experience. Much like with learning to speak in a foreign language, the first few days, weeks or months are difficult as one trains their brains to translate concepts and messages into this new way of conversing.

The Message and Its Framing Matters

One of the key benefits of the increased conversations around cyber risks (i.e., how much risk do we have, and is that something we are comfortable with?) as opposed to information security (i.e., are we secure?) is the need for and the opportunity to have significant — yet sometimes very thorny — discussions about cyber risks with the various stakeholders. The way the message is framed is essential to either continuing such conversations or shutting the door on them. For example, the U.K. government was able to generate an extra £1.9 million, or about $3 million, in additional tax revenue in just 23 days by including two sentences using minority framing to make a point with late taxpayers: “Nine out of 10 people in the U.K. pay their tax on time. You are currently in the very small minority of people who have not paid us yet.”

For example, when reporting risk metrics, one can document the current versus previous quarter’s numbers by using a simple yet clear visual representation, such as the radar chart in the example below:

Key Questions to Improve Your Professional Skills

  • Are you communicating concepts and issues in the language of your executives? If not, immerse yourself in their world by surrounding yourself with some of the same resources and sources of information (The Wall Street Journal, Harvard Business Review, company reports, financial reports, etc.).
  • Is your message adapted to the audience, both in terms of granularity — reporting at a level of detail appropriate for the audience — and in terms of presentation?
  • Is your message framed in such a way as to engender conversations around information risks as opposed to giving a closed-ended and likely wrong view of the organization’s security posture?
  • Do you have access to a mentor — internal or external — who can provide you with feedback about how effective your presentations and communications to business executives are?

Other Resources for the Information Security Professional

To learn more about the art of making strong arguments, I suggest you read “Rhetoric, Logic, & Argumentation: A Guide for Student Writers” by Magedah E. Shabo.

To learn more about positioning yourself and your communications towards your clients, whether internal or external, I suggest you read “The Trusted Advisor” by David H. Maister, Robert Galford and Charles W. Green.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today