The responsibilities of chief information security officers (CISOs) continue to grow and expand throughout the enterprise — and so has the need for CISOs to be articulate leaders and masters of effective communication.
CISOs must ensure that cybersecurity strategy is aligned with business strategy and that those technical threats are expressed in terms that are relevant to the business.
How to Become an Articulate Leader and CISO
An articulate leader can extend his or her influence well beyond the security department. Effective communication skills exemplify and complement executive presence — expanding the ability to govern by clout rather than exclusively by formal authority. An articulate leader must be able to explain cybersecurity strategy to the rest of the C-suite and board, engage with line-of-business managers and clearly communicate with their own security staff.
According to a 2017 survey from Information Systems Security Association International (ISSA), the most important qualities of a successful CISO are leadership (52 percent), communication skills (43 percent) and “a strong relationship with business executives” (35 percent). A handbook on cyber-risk oversight from the National Association of Corporate Directors (NACD) states that “the CISO should be able to articulate how cybersecurity isn’t just a technology problem; it’s about paving the way for the company to implement its strategy as securely as possible.”
In other words? CISOs must adapt their communication style and substance to ensure the various stakeholders are properly informed of what is being done, why it’s being done and how decisions made at every level of the business might impact the organization’s cyber-risk profile.
Listen to the podcast: Directors Are From Mars, CISOs Are From Venus
1. Leverage Help From Other Stakeholders
While CISOs are feeling and reporting the pressure to improve communication, help might be closer than they think. Board directors have been taking stock of their own level of engagement with CISOs and extending an olive branch. In its cyber risk handbook, the NACD noted that many directors should “seek to establish an ongoing relationship with the CISO” and recommends that directors ask themselves, “How can the board effectively communicate with the security executive?”
Leveraging this help is important: Fifty-five percent of CISOs state that they have a “regularly scheduled report on the state of IT security to the board of directors,” and another 46 percent report having an “upstream communication channel from the security leader to the CEO or other C-level personnel,” according to a 2017 Ponemon Institute report.
2. Adopt a Business Mindset
Speaking primarily on a technical level isn’t going to help the CISO connect with the rest of the organization. While it’s true that many cybersecurity issues stem from the use of a particular technology — whether for enablement or as a defensive control — the significant cyber risks associated with that technology would impact the business (or they wouldn’t be significant).
So, the articulate leader needs to invest time to learn about what drives the business and ensure that the security function enables — or at least protects — the organization’s ability to generate value.
3. Check Your Communication Style
The articulate leader should regularly check their particular communication style to ensure it’s appropriate and effective. That means minimizing esoteric jargon in exchanges with the C-suite and board. It also means knowing when to use a specific communication channel (i.e., email, phone call, meeting, report or even text message). Each channel has a different purpose and might not be appropriate for every situation.
The best way to check your communication style (and whether your message was understood) is to ask for feedback. If done openly and sincerely, asking for feedback can also earn you new supporters in the organization.
Why? People will come to realize that their input and feedback is taken into account, which helps them feel like their voices are being heard.
4. Craft and Refine a Communication Strategy
Successful mountain climbers don’t just wake up one day, decide to ascend the tallest peak and take off. Instead, they grab hold of their goal and create a strategy that aligns with its achievement — one step at a time. Similarly, security leaders would do well to review their communication strategy to ensure it provides them with achievable wins (instead of faraway dreams).
The NACD handbook also stressed that boards are looking for communication that conveys meaning in ways that are relevant to them, are easy to understand and don’t overwhelm the reader (just the right amount of information at the right time).
5. Focus on the Key Message
It may seem obvious, but having a focused message that aligns with the needs of the business is a critical part of effective communication between the CISO, C-Suite and board. To facilitate engaging conversations with these groups, CISOs should consistently target their message to the interests of their audience.
Before delivering the message, CISOs must consider how it will be received and what would be the logical next steps for someone who just read or heard it. The purpose of the message and any call to action should be clear — and so should be the reason for the message, its timing and its context.
The articulate leader will prove their value to his or her organization with his or her ability to provide insights on cyber issues, advise the business leadership on appropriate courses of action and execute tactics to keep cyber risks under control. In doing so, the CISO will have demonstrated his or her ability to be true cyber risk partners to the business.
Listen to the podcast series: A CISO’s Guide to Obtaining Budget