[BreachExchange] The Communication Imperative for CISOs

[Destry Winant]

https://www.securityweek.com/communication-imperative-cisos

One of the potential upsides for security leaders as a result of the
COVID-19 pandemic, is a renewed focus on cybersecurity and business
resiliency. Seemingly overnight, your expertise, resourcefulness and
dedication became recognized as integral to shifting your business to
become distributed and digital. Now’s the time to take advantage of
all the attention and step up your communications skills, so you can:

• Demonstrate the value you and your teams are providing during the crisis

• Collaborate more effectively to improve security operations, even
when teams are working remotely

• Educate the organization on how you mitigate cyber risk on a daily basis

Let’s take a closer look at each.

Demonstrate. The best days for security technologies and teams are
when they aren’t seen – when they’re doing their jobs to secure the
business, employees and customers, without impacting productivity and
user experience. Although you’ve been in the spotlight, that doesn’t
mean that your executive team and Board really understand the work
that happened largely behind the scenes. I’m sure you’re familiar with
the phrase, “Tell them what you’re going to do, do it, and then tell
them what you did.” Now that you have leadership’s attention, use the
opportunity to bring them along the journey. Explain the unique
challenges the company faced, how you and your team overcame them, the
value delivered, lessons learned, and how to continue to improve
security operations. Afterall, you know that the next disruption isn’t
too far behind and there is no such thing as preparing too early.

Collaborate. How you communicate with your team has changed – at least
in the near term, if not permanently. With employees working from
home, you can’t tap an analyst on the shoulder to assign them a task
or walk down the hall to get an update on an investigation. You’re
geographically dispersed, but you still need the ability to work
effectively with team members and across teams. A single, online
collaborative environment that fuses together data, evidence and users
enables individual team members and different security teams to access
the intelligence they need to do their jobs as part of their workflow,
and actively share learnings or directly communicate with each other.
As a security leader, you can benefit from this collaborative
environment as well. You can oversee investigations remotely,
observing the analysis as it unfolds and directing action when and how
you need to. With a “virtual shoulder tap” you can break down projects
and assign tasks to specific individuals, coordinate tasks between
teams, and monitor timelines and results. Even when analysts are
working remotely, you can continue to coordinate investigations and
remediation.

Educate. Boards are maturing in their understanding of cybersecurity
and asking more detailed questions. They don’t just want to know if
the latest threat pertains to the organization, but in what ways and
how you know that. Start thinking now about the information and
capabilities you need to help you communicate in a simple and clear
way. For example, if there is a new vulnerability or threat in the
news, the CEO may ask: “What is it?”, “Does it pertain to us?”, or
“How are we impacted?”.  You need to be able to answer in a clear and
concise manner. This involves understanding external data on the
threat, identifying events and associated indicators from your own
internal systems and correlating the two for context and relevance to
your environment. With this information you can explain, in a format
that is easily digestible for people who don’t live and breathe
security, whether or not they should be concerned about a recent
attack that made the headlines. Simple explanations help put their
mind at ease, whether the news is good, (e.g., “The latest ransomware
attack is taking advantage of a vulnerability we’ve already patched,
so this isn’t a threat to be concerned about.”) or not so good, (e.g.,
“Internal data and events indicate some evidence of potential
malicious activity, so we’re taking steps to contain it and are now
remediating the affected systems.”)

As we look to the remainder of 2020 and where we should focus our
attention, I encourage security leaders to take advantage of one of
the few silver linings of the pandemic – a renewed appreciation for
the role of security experts. Put communications at the top of your
priority list, not only to showcase the value your department
provides, but to lay a foundation of knowledge and trust that will
likely pay dividends when budgeting season rolls around.