You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication?
Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – – on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership.
And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives.
It’s Not New, Just New To You (said to Christopher Columbus)
This problem is not new, and is being discussed broadly within the security industry. But other than a few pat suggestions we keep hearing over and over from the sidelines, there seems to be a communication gap that’s not improving.
In fact, with the likely tenure of most CISOs being estimated at 18 months (Forrester) to four years (Gartner), I’d suggest that this communication gap urgently needs some communication-savvy CISOs to step up and share some real tips on how they are succeeding at communicating their state of security to executive leadership. Are there any CISOs succeeding at this? Perhaps not many.
CISOs – Very Complex and Technical People
The recent 2013 State of Risk-Based Security Management study by the Ponemon Institute indicates unfortunately that most senior executives are only asking to hear from their CISOs when breaches have occurred or other security crises hit (see ‘on an as-needed basis’ category).
In addition, IT and IT security communications with C-suite executives rarely occur on a regular schedule such as other business disciplines such as finance, HR, or manufacturing might – monthly or quarterly.
So there is no opportunity to educate and refine the information or even to establish familiar terminology so that these busy, non-technical executives have a frame of reference for the security issues facing their companies.
Forrester’s 2012 study on “Navigating the Future of The Security Organization” quoted an expert saying he “routinely heard board members from some of his largest clients express frustration with the information security function.
He noted that “many top executives have had poor relationships with CISOs in the past, and that continues to shape their perceptions today. They see people in the IS profession as technologists, not equals. The No. 1 complaint from the board is that they are stuck dealing with very complex and technical people.”
A CISO Making Headway with the C-Suite
I recently spoke at the August SANS Critical Security Controls Summit 2013 in Washington, DC and had the good fortune to hear a talk by Larry Wilson, CISO of the University of Massachusetts on his communication and how he’s getting things to work at his institution. He has an incredible challenge.
The size and security needs of UMass would daunt many experienced CISOs, and Larry will admit to the challenges. His perspective was refreshing, and may lead to a few answers, though clearly every environment is unique.
Success with SANS
The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.
Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.
However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.
In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.
Audit / Compliance CISOs Speak Executive
Wilson’s background is in audit and compliance, and I’m seeing this as a trend. CEOs and boards are seeking audit, compliance, and risk management backgrounds in their new CISOs.
Forrester notes that many organizations are hiring VPs or C-level IT Risk titles with this same background. A big part of why is because CISOs with this audit/compliance/risk management background tend to approach their work with a higher level of business context and often with stronger communication skills than many CISOs currently demonstrate.
Add to that the clear English and business context embedded in the SANS 20 CSC descriptions, and Wilson had the tools needed to translate his security program to non-technical executives and peers. Feedback from his C-suite provide encouragement that effective CISO communication can be done.
- One tool Wilson uses is communicating security information like financial portfolio management details. His executive team gets that. He sometimes uses the analogy of the UMass ‘security portfolio,’ with resources, performance trends, and risk factors powerfully shared with execs who are used to these financial terms, and can be helped to see security assets that way.
- Wilson took things a step further, preferring to describe his security program components and progress in terms of ‘use cases’ – not “metrics” or other jargon natural to security practitioners. Sure, there are metrics, KPIs and performance indicators embedded, but by changing the language – really, changing the conversation, Wilson has been able to get through to his executive teams. And he’s not stopping there.
- Wilson is working to share his experience with the SANS 20 CSC, across affiliate universities in Massachusetts and Rhode Island, as well as help them along as they’re adopting the SANS Top 20. He is additionally developing suggestions for SANS on automation and measurement for the critical controls, plus specific reporting needed so it doesn’t take endless days to gather and analyze data for executive consumption.
We need more of this kind of insight from security community CISOs on the firing line. I’ll suggest that the challenge to effectively communicate at an executive level is a ‘soft skill’ infrequently present in IT Security leadership, and one we need to see as part of the business-side curriculum for new security professionals.
Just under 50% of those surveyed in the 2013 Ponemon Institute risk study indicated they think they are not effectively communicating to their senior executives.
And perhaps those who place themselves in the ‘Effective’ or ‘Very Effective’ categories just think they’re getting their points across.
If you aren’t communicating upstream very well, maybe it is you (and in fairness, probably them, also.)
If you have been successful communicating with your board or C-suite and executive peers, and think you’ve got some ideas helpful to others, please share what’s working for you (my email is in my bio below).
Let’s get some collaboration going among the CISO community on how to succeed at changing the conversation!
- Majority of IT Professionals Don’t Communicate Security Risks
- Organizations Misalign Security Spending with Perceived Risks
- Key Metrics for Risk-Based Security Management
- Are Security Metrics Too Complicated for Management?
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock