Imagine an adult in front of you speaking an unknown foreign language.
Jeffrey Wheatman says that’s what most chief information security officers (CISOs) tell their boards and senior management.
Whitman, Cyber Evangelist for US-Based IT Supply Chain Security Rating Service Black Kitegave that analogy during the annual presentation on Monday siberX CISO Forum Canada. In fact, to get his point across, he began to say … something. It might have been some language. It may be nonsense. It was definitely incomprehensible. This puzzled the audience of infosec professionals.
That was his point: When most infosec leaders talk, directors and senior management hear some gibberish.
The solution, he said, is that infosec leaders need to learn to communicate better with non-IT people.
A former Gartner analyst who has spoken to boards and advised CISOs on how to speak to boards, he offered these four tips for infosec leaders to be more effective:
1 , learn to speak the language of business: “They will not learn our language; We should learn from them. Expecting us to learn from them is a failed, cursed exercise.
An example: Don’t describe the potential impact of ransomware as, ‘It will bring down the network.’ Management doesn’t know what a network is. Instead say, ‘You can’t send invoices, people can’t pay us, we can’t ship products.’ Management, Wheatman said, cares about three things: money coming in, money going out and “who’s going to be in trouble if stuff goes over the edge.” What Should Infosec Professionals Do? take business classes, many of which are free; Learn to read the general ledger and how accounting is done.
2 , Create Stories: Don’t tell boards and management everything you know about cyber security. Express your message in words and imagery to educate, influence a decision or change behavior. How? Take inspiration from media that tell quick stories like movies, TV shows and commercials. Create similes, which are comparisons. Craft your message in a one-page story that will get you to the point. Then practice your pitch, perhaps to a friend, child or spouse. When making that presentation, don’t forget to pause at key points and wait for feedback – Is your pitch resonating? Never ask your audience, ‘Does this matter to you?’ But you may ask, ‘Is it helpful?’
3 , Pay attention to feelings Wheatman said, “There are no ones and zeros in data and information.” Data can persuade people but it does not inspire action. “People remember how they felt after your presentation more than what you told them.” Think about how you want the officers to feel when you’re done, he said. If you don’t know what you want them to feel, your message may not come across well. (Hint: It’s okay to want them to feel a little intimidated, but be sure you know what you’re doing.) You can use the data — with caution. Too many data points overwhelm the audience. Find some kernels and build around them. Look for the hot buttons: Know what’s important to your audience – the CEO wants to hear about the impact of cyber security on their pet project, the COO wants to hear about the operational impact, and the sales department wants to hear that Will it help/hinder their ability to meet sales targets. You can mention an incident that happened to a competitor (“Let’s talk about how we could have avoided this.”) As part of this, include scenario-planning: ‘What if ( There’s a recession, a virus sweeps the world, we lose internet connectivity….)
4 – Understand the appetite of the organization for risk, You don’t want to tell them what their risk is, you want to hear their view of risk by telling stories and asking questions. But everyone must understand and agree on terms such as “risk”, “threat” and “operation”. Then create tools to prioritize those risks. Finally, make sure the risk-taking ability is aligned to the organization’s objectives. For example, don’t say that employees should be forbidden from installing your own software because computers will crash. Say instead, ‘We need to keep the computers running so they can help customers.’
The CISO Forum continues on Tuesday.
