I have a new book that is coming out in the early part of
August. The thrust of the book is how to
actually create and launch a new Cyber business. But it is not from the standpoint of the
recent college graduate or a seasoned IT professional, but rather it is from the
viewpoint if the burnt out or even terminated CISO who is looking for greener
pastures.
One way that this goal could be accomplished is to start a
consulting gig, focusing around offering vCISO services, which is a hot ticket
item right now.
But unfortunately in the end, whether it is right or wrong
or fair, it is the CISO that usually takes the fall for everything. After all, they are the easiest person to be
blamed and put in the firing line. The
CISO has a lot to deal with, ranging from how well the lines are beefed up to
dealing with the Board of Directors.
But one area that they are often faulted for is the lack of
communication from them to others in the company, or if they do at all, the communication
is sparse and confusing at best. So,
what is a CISO to do in this regard?
Here are some tips to help with that communication breakdown:
1)
Understand thy audience:
As a CISO, you will be asked to
talk to different people that are a part of your organization. These include both the internal and external
stakeholders. Not everybody is going to
understand Cybersecurity the way you do, so you need to angle the content to that
specific group you are talking to. Take
these cases:
*For the Board of Directors: Keep things in dollars and cents.
*For employees in your
company: Keep things simple to
understand, avoid any and all kinds of techno jargon.
*For the IT Department and your team: You can get all geeky you want.
*For shareholders: Keep the topic centered around how all Cyber
efforts are going to impact the Earnings Per Share (EPS).
Get the idea?
2)
Start with the business objectives first:
In any form of presentation that you
may give, it is always key that you never first start talking about metrics,
and KPIs. Why so? Well, first your audience will probably have
no idea what you are talking about, and second, you need to provide some kind
of reference point for these metrics that you eventually want to point
out. One of the best ways is to first
talk about your business objectives from the standpoint of Cyber, focusing in
on what has been accomplished so far and what hasn’t. It is equally important to provide a roadmap
as to how plan to finish those objectives whose goals have not been met
yet. Then once you have laid all of this
out, you can then get into some of these metrics and KPIs. Nobody likes quotas and such, but you and
your IT Security team need to be judged against something that is quantitative
and measurable. Sure, you can even throw
in some qualitative aspects as well. For
example, of the key metrics that you can talk about is the meantime to
detection. This describes how long it
takes a company to detect a security threat that resides in their organization. So far, the average is a long period of time,
so point out how you plan to shorten down that time frame for your
organization. Another key point to
remember in these types of presentations is that you should keep them only 30 –
40 minutes in length, tops. Beyond that,
you will probably start to have people nodding off in the audience.
3)
It takes everybody:
Traditionally, IT Security teams have
taken an isolationist role in what they do, because everybody else in the company
thinks that if anything breaks down, these are the guys that should fix
it. While this might be true in a
theoretical sense, they can only do so much. They should not at all be finger
pointed or isolated by any means. What I
am trying to get at is security involves everybody in the company, all the way
from the Board of Directors down to the overnight cleaning crew. The CISO can foster this kind of thinking by
visiting each department on a personal level, and tell them directly that they
are a part of the security chain as well, and that their input is highly valued. But the CISO first needs to take this
mentality with their own IT Security team.
There are still many complaints that CISOs often ignore their own
employees, and don’t even make the time to listen to them. Then, the gap between effectively
communicating with other members of the C-Suite and especially the Board of Directors
needs to improve as well. The view that the
other members of the C-Suite take is that Cyber is a CISO only effort, and that
they take no part in it. But guess what? With the data privacy laws that are out there
today, even the C-Suite and the Board of Directors can be held both personally
and financially liable as well if there ever is a security breach.
4)
Establish the layers of accountability:
Once you have demonstrated that
everybody has some sort of “teeth” in the defense game for their company, the
next step is establish some sort of accountability. In other words, if other employees have agreed
to what you have said is correct, then they need to be held accountable for their
own roles and actions to help protect the digital assets. For example, employees should be held
accountable if they click on a Phishing email.
Another area where accountability is going to be of grave importance is in
the creation and implementation of the Incident Response/Disaster
Recovery/Business Continuity plans. This
really cannot be outsourced to an outside third party, the employees in your organization
have to be responsible for this. In
other words, as these plans are being crafted, you need to take certain
employees that you think you can trust and make them part of the process, and give
them assignments in these plans. Therefore,
you should rehearse these plans on a regular time period in order to make sure
that all employees know their assignments and are ready to act out in a very
quick fashion should a security breach actually happen.
My Thoughts On This:
Improving the lines of communications in any organization is
not an easy task, and in many instances, it can take a long to time to fully
accomplish. Although timing is critical
given the way the Cyber threat landscape is unfolding in front of us, take the
needed time as well to make sure that whatever you trying to communicate is being
heard and understood.
Always ask for a feedback.
After trying to change your ways for some period of time always ask a sampling
of employees to see how are you doing. This
is the only that you will know what is working and what is not in terms of communications
improvement. Remember, this should be a
very honest and transparent process.
No comments:
Post a Comment