It never fails. Ask security executives to name the biggest boon or detriment to their careers, and they'll respond with the same answer: communication skills. This isn't news. But what does "communication skills" really mean, particularly when seen in the context of a security leader's success?
Perhaps the answer can best be gleaned from a close look at an actual communication breakdown. Before Russell Walker became the VP of information security at Starbucks in Seattle, he was a security consultant, a role that tends to provide an unvarnished view into corporate dysfunction.
While working with an East Coast financial firm, he witnessed the not-so-rare occasion where a CSO struggled mightily and repeatedly failed in his efforts to sell a new Internet security solution to management. "His message to management was, We're vulnerable." Walker says. "The audience was thinking, What's vulnerability? What does this have to do with me?"
What they were saying, Walker says, was, Show me how to quantify my exposure and calculate the risk to my business. So, instead of trying to sell the project through yet another presentation, the CSO tried a different format: a live demonstration.
"We demonstrated how easy it was to break into the site and get personal info on the executives in the room," Walker says. "We showed we could get their salary, their 401(k) contributions and where they lived. Suddenly, the issue of personal identification and vulnerability resonated with them. It became personal."
This anecdote helps underscore the various components of communication for the security executive. It was based on a format that conveyed the message. The demonstration used just enough information to get attention but not so much that it embarrassed or put off anyone in the room. In short, it was sensitive to its audience.
Read "The Image Issue" for a comprehensive and thought-provoking collection of articles on how to conquer security's communication challenges
In other words, you can write, speak and present until you're blue in the face, but unless you know how to reach your audience, you lack the communication skills needed to help provide adequate security to your company and be part of its success. In other words, you're really not communicating until the other party—most notably, the holders of the budgetary purse strings—can actually understand you.
Sensitivity to the audience and its context is a cornerstone of excellent communication. This is especially important for executives who function in widely distributed business operations. Just as the security strategy for an East Coast financial services concern will be far different from that for a West Coast entertainment company, so is the business culture that permeates these organizations. At the same time, what is an acceptable tone for one region within the U.S., or the world, may be offensive or unacceptable in another.
One CSO cites an example where a simple, to-the-point message about compliance at a finance company out of the New York City headquarters was received as a reprimand on the West Coast. The result was that the company spent more time focusing on the insensitive tone of the message than on its contents.
The Art of Clarityphysical break-ins, phishing attacks and intellectual property theft, this basis for communication might seem a bit low on the priority list. However, for those who want their security initiatives to be understood, valued, approved and abided by, it is the key to their survival.
The fine art of communication calls for one person to clearly convey a concept to another. This involves understanding what people need to know, what the substance of the message should be, and how and when it should be conveyed. To do this effectively, the communicator must be cognizant of the context of the necessary communication and be highly sensitive to the information needs and mode of reception of their audience. For a person focused on
"Companies are no longer willing to forgive a lack of excellent communication skills," says Jeff Snyder, president of SecurityRecruiter.com, Snyder says that unlike five to six years ago when companies were scrambling to gain a new security footing, today they are no longer willing to compromise on effective communication skills or on a strong security background. "They want it all," Snyder says. "The cake, the ice cream and whipping cream on top."
In short, when a company says it's looking for a security executive, it's seeking someone with the same business skills as any other departmental leader in the organization, who also just happens to know how to prevent, identify and thwart threats to that company and its employees.
The fact that expectations are being raised might put more pressure on security executives to be well-rounded in their skill set, but it's the price for having arrived, says Paul Argenti, professor of corporate communication at the Tuck School of Business at Dartmouth College, in Hanover, N.H. In the 1990s, the emphasis for security executives was a more technical one, he said. Then, after 9/11, companies placed more emphasis on physical security.
Argenti says that many security executives today are discovering that "the skills that once made you successful as a security professional may have had very little to do with communication." But that's no longer the case. Communication skills must be "embraced as an added value throughout the organization."
The role of the security executive is following the natural progression of maturity that other disciplines, such as information technology and human resources, have followed, Argenti says. The real and perceived threats to a company's assets have raised the visibility of security in many companies. Senior management have responded by hiring security expertise and investing in security systems. After elevating security to a strategic function, most organizations have naturally attempted to integrate it into the wider organization. As a result, people who came from a law-enforcement or military background often have found themselves in the midst of corporate restructuring. And it has been in this environment, where communication is perhaps the most critical tool for survival, where security professionals and their employers have discovered whether the right level of communication skills are in place.
Mentoring and Managing
While communication is a universal human experience, the language of security is not one that is universally shared or understood. This nomenclature and terminology may be immediately recognizable between two security professionals. However, it can be indistinguishable to downright frightening to people who speak the language of business, says Howard Schmidt, former White House cybersecurity adviser.
Schmidt started his career in law enforcement and had benefited from doing public speaking in performing that role. However, even with that background, he found that as he made the transition into the business arena his communication skills still fell short. Schmidt was fortunate. A supervisor not only made him aware of this but helped mentor him early in his career.
"He said, 'You need to develop a dialogue on the business of security, and not just security,'" Schmidt says. Security people tend to focus on what could go wrong and how to avoid it. This is often not only off the radar for many businesspeople, but it is often demoralizing and can tend to get tuned out. "When you just talk about bad things, and bad things don't happen, you just lose your credibility."
The major struggle for many security executives is to demonstrate that they understand that they are part of the business equation, says Bob Hayes, managing director of the Security Executive Council, based in Washington, D.C. "If communication is cited as an issue, it is often because of the failure to demonstrate alignment with their company's strategic objectives," Hayes says.
"Management today expects a strong security system as a given," Hayes says. "The question is, What is a reasonable amount of risk? Can you add value while you provide security?"
As for which skills a security executive should be proficient in, the answer is simply: All of them. Strong writing skills are needed to communicate in a global environment. Speaking skills—knowing not only what to say but how to say it—are critical as well. This is especially important when you're interacting with other executives, who don't have the luxury of time to figure out your message. Presentation skills are extremely important, to know how to make the point in front of a board or management team.
Like any skill set, security executives have to play to their strengths but work on their weaknesses. While business schools are now offering communication seminars, security executives should not hesitate to take Dale Carnegie courses or join groups like Toastmasters to help hone their public speaking skills, says recruitment manager Snyder.
Perhaps the single most important communication mission for the security leader is to effectively articulate the value proposition of the security discipline, and its inherent programs, to the audience it is intended to serve and protect. In this sense, security executives need to be more masterful in communication because they address a world filled with evolving threats and compliance requirements. But it must be done so in a way that encourages adoption of program practices and is seen as aligned with business objectives.
"It's our job to get everyone on the same page, says Starbucks' Walker. "We do that by building awareness. We do that by repeating the message over and over. We do that by using whatever tools we need to reach our audience." ##