Making Communication on security with management effective
Sachin Jain, Global CIO, Evalueserve
The role of CISO has come a long way from a practitioner to more strategic. The communication has been an important subject which involves dealing with internal users, management, clients, vendors etc. Be it about policy changes, risks, controls or technology changes, communication plays an important part in how successful a CISO office can be in designing and executing the security strategy.
The role of CISO is increasingly becoming more front-line role where organizations are dealing with risks all around especially technology/cyber risk. There are so many breaches happening globally and some of the big names are making headlines. Organizations are realizing the impact including the sustenance of their business due to one serious security incident. Theyare looking to de-risk their business with help of CISO office. In such situations, effective and clear communicationhelps manage the risks proactively and also to bridge the gap between board’s understanding and CISO’s office priorities.
TheCISO has to speak the business language while explaining the threats and risk to the board and business. Technical and complex terminology may not help CISO office to establish the credibility which is very important for a security function.
Some of the key items which should be looked at while presenting the cybersecurity program to the board and business stakeholders -
a. What are the key risks/threats
b. What is working well
c. What needs to be done
d. Metrics and facts to support the program
e. Benchmarking with other companies/competitors in the industry
f. What is that required to improve the program continuously
g. How it is designed in line with business’s priorities to protect the organization
Some of the other important points to be kept in mind by CISO office -
a. Avoid technical jargon/acronyms and use business language
b. Present more visually powerful data points in place of pure text and include dollar numbers to make it more relevant to the board
c. Assess and present the impact on brand, revenue, regulatory and client compliance
d. Do context based talking with numbers and pointers in hand
e. Be clear in what is missing and what call organization has to take with changes and investment
It is the responsibility of the CISO office to inculcate a strong security culture within the organization where no special efforts are required to be made on day to day basis.
Often, there is a disconnect in board’s priorities and what security function sees the way forward. Such divides put organization at risk and uncertainties around. The security agenda has to be driven from Top and should be clearly understood by business and security function.It is not an easy job to convince board in many organizations on the investment call CISO has to take to protect the organization. So a crisp and clear communication strategy will always help.