Security Leaders Must Speak the Language of the Audience They Are Trying to Communicate With
Recently, while visiting customers and partners in Turkey, I was inspired to write this piece. I have always found Turkey to be a strikingly beautiful country, and the Turkish people to be warm, friendly, and inviting hosts. If you have ever visited Turkey or interacted with Turkish people, you will probably not find this particularly surprising. Of course, if you have ever listened to the Turkish language or tried to learn a few words in Turkish, you will likely agree with me that Turkish is an extremely difficult language.
Just after my visit to Turkey, I co-presented a webinar with an executive from HPE. On the webinar, we discussed various aspects of the CISO role, and how they relate to the long term career of a CISO. One of the aspects we discussed was the need to communicate clearly upwards (to executives and the board) downwards (to those within the security organization), and “sideways” (to other key stakeholders).
At this point, you may be asking yourself what the Turkish language and a webinar about career impacts for the CISO role have to do with each other, and what they have to do with information security in general. That is certainly a reasonable question. I believe that, indeed, there is an important security lesson that we can learn here.
This is where we can learn an important lesson. As security leaders, we need to speak the language of the audience we’re trying to communicate with. Risk, reporting, and metrics are three important topics within information security, and they all mean drastically different things to different audiences. Let’s illustrate this point by taking a look at the language different audiences speak around each of these topics.
Risk
• Board and Executives: To executives and the board, risk primarily means disruption of the business and monetary loss. In order to speak this language, you’ll need to show how the good work you’re doing is mitigating risk to the business. Don’t be surprised if direct comparisons are made between your budget and the amount of risk (in monetary terms) that you’re mitigating.
• Security Organization: Have that risk register all filled in like the good security leader that you are? Be prepared to map this to operational and tactical goals and projects for your security organization. Information security professionals are highly skilled and can do amazing things, but they don’t speak risk register.
• Customers: How good are you at communicating precisely how you are protecting your customers’ sensitive, proprietary, and confidential data? Because that’s generally the primary risk they are concerned about. All of your efforts need to be mapped into this framework in order to be communicated to the customer.
• The Business/Other Stakeholders: The business is primarily interested in ensuring continuity and meeting customer expectations. Of course, a security incident can hamper both of these significantly. But if you can’t communicate the risk in the appropriate language, how do you expect the business to understand?
Reporting
• Board and Executives: Are you reporting number of tickets closed and number of alerts handled to your executives? Guess what? Those numbers are meaningless to them. Try mapping the good work you’re doing to the risk concerns I mentioned above.
• Security Organization: Good information security professionals want to know how best to communicate the value of the work they’re doing. Work with them to help translate from tactical and operational efforts to strategic objectives.
• Customers: Customers don’t care about how many tickets you closed or how many alerts you handled either. Any reporting that will be meaningful to customers needs to speak the language of safeguarding sensitive, proprietary, and confidential information.
• The Business/Other Stakeholders: The business needs to understand how your efforts are helping them to ensure continuity and meet customer expectations. Focus on reporting that clearly illustrates to the business that you have their best interests in mind, and how your efforts support and enable them.
Metrics
• Board and Executives: It will come as no surprise that the board and executives will want to understand how you are progressing against your objectives. But remember, everything needs to be tied back to how different risks are being mitigated and what the potential monetary loss is from each. Understanding how to speak this language will make your metrics far more relevant.
• Security Organization: A security team wants to understand how it is providing value in support of strategic objectives. But team members will likely struggle to see how their day-to-day job duties fit into the bigger picture. That is, unless you help them see it explicitly.
• Customers: You probably realize that customers want to know that you are continually improving the way you safeguard the data they have entrusted you with. But have you ever thought about how to translate those efforts into metrics that the customer can internalize?
• The Business/Other Stakeholders: As mentioned above, the business wants to see how you are working to help them be successful. Any metrics for the security program need to be communicated in that language in order to be meaningful to the business.
So, as you can see, a good security leader needs to speak several different “languages” on a continual basis. Even if a given audience understands the material you are trying to communicate to them, the
y will not be able to internalize the message you want to convey unless it is communicated in terms they can understand. Only then will the message resonate and will you as a security leader get the teşekkürler (thank you) that you deserve.