The role of the information security professional, be it at the chief information security officer (CISO) level or at the security analyst level, continues to undergo rapid and significant transformations. For years, security leaders have asked — no, begged — for a seat at the executive table. As an increasing number of organizations feature cyber risk reporting to the executive layers, security professionals at all levels must adapt to this new audience by developing an appropriate set of professional skills.
The fastest way to lose the attention of executives is to start talking in computer or security jargon. Most of us have likely experienced this, either because we were the ones communicating in such a manner or because we witnessed our own colleagues or bosses do so. How do we avoid confusing or frustrating the executives in our audience?
The Audience Matters
Security professionals and CISOs who have risen through technical ranks are very good at talking tech. And as long as they are talking to other techies, such use of jargon is not only tolerated, but expected. Yet if one spends just a few minutes eavesdropping on the conversations that executives have amongst themselves, one quickly realizes that the language used is casual, conversational and, in a word, understandable.
For the security professional, this new audience may appear to be conversing in a foreign language. You might hear them complain, “What do you mean I can’t talk about VPNs or IDS or SIEM?” The foreign language metaphor is a simple yet powerful representation of the difference in culture, expectations, vocabulary and grammar that one might experience. Much like with learning to speak in a foreign language, the first few days, weeks or months are difficult as one trains their brains to translate concepts and messages into this new way of conversing.
The Message and Its Framing Matters
One of the key benefits of the increased conversations around cyber risks (i.e., how much risk do we have, and is that something we are comfortable with?) as opposed to information security (i.e., are we secure?) is the need for and the opportunity to have significant — yet sometimes very thorny — discussions about cyber risks with the various stakeholders. The way the message is framed is essential to either continuing such conversations or shutting the door on them. For example, the U.K. government was able to generate an extra £1.9 million, or about $3 million, in additional tax revenue in just 23 days by including two sentences using minority framing to make a point with late taxpayers: “Nine out of 10 people in the U.K. pay their tax on time. You are currently in the very small minority of people who have not paid us yet.”
For example, when reporting risk metrics, one can document the current versus previous quarter’s numbers by using a simple yet clear visual representation, such as the radar chart in the example below:
Key Questions to Improve Your Professional Skills
- Are you communicating concepts and issues in the language of your executives? If not, immerse yourself in their world by surrounding yourself with some of the same resources and sources of information (The Wall Street Journal, Harvard Business Review, company reports, financial reports, etc.).
- Is your message adapted to the audience, both in terms of granularity — reporting at a level of detail appropriate for the audience — and in terms of presentation?
- Is your message framed in such a way as to engender conversations around information risks as opposed to giving a closed-ended and likely wrong view of the organization’s security posture?
- Do you have access to a mentor — internal or external — who can provide you with feedback about how effective your presentations and communications to business executives are?
Other Resources for the Information Security Professional
To learn more about the art of making strong arguments, I suggest you read “Rhetoric, Logic, & Argumentation: A Guide for Student Writers” by Magedah E. Shabo.
To learn more about positioning yourself and your communications towards your clients, whether internal or external, I suggest you read “The Trusted Advisor” by David H. Maister, Robert Galford and Charles W. Green.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato
Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...