Home » Security Leadership » Exec. Communication

Let's Talk: Security Leadership and Executive Communication

The CSO's guide to strategic executive communication

We talked to some top CSOs to glean their best practices for making these critical executive partnerships work.1 Don't Just Say NoAfter discovering his predecessor's punitive approach to corporate security, Hancock realized that he needed to rebuild the image of the Exodus CSO into that of a kinder, gentler team player. His first step was to track down the owners of those 45 confiscated computers. Many of them had in fact been computerless. Hancock gave the computers back, got them cleaned up, loaded them with new security tools, and briefed their owners on how to keep from being hacked again. Says Hancock, "Pretty soon people who once had fear and loathing in their hearts for the security guys began to say, These are really nice people. They're trying to help me be secure and will explain to me what's going on." Hancock's rule, which has been effective with employees and executives alike, is "Never tell people no. Tell them how." That helps create the perception that security is an ally rather than an enemy.

In fact, changing perceptions requires that CSOs curtail all kinds of negative communication as much as possible. For example, instead of waging an endless battle to stamp out employees' bad habits, look for technology solutions that will compensate for them. In practice that meansinstead of raking employees over the coals for visiting forbidden websites or losing their laptopsyou would deploy embedded technology controls that prevent access to certain kinds of websites or that automatically encrypt laptop data. "The tip is to look for noninvasive ways to implement security," says James Christiansen, chief information security officer for General Motors. "[Users] don't even realize it's there, and if their laptop falls outside corporate hands, we know it's protected."

CSOs should also consider exploiting executive partnerships as a way to off-load some of the dirty work of communicating with the company about security. Why not harness HR's expertise in policy creation and dissemination to push new security policies out to employees? Internal audit groups can likewise be useful partners when departments disregard some company policy and need to be whipped into shape.

Giving your business partners both a voice and a choice in security decisions is another way to foster strong partnerships. If CSOs talk in the lexicon of risk and reward, and provide an analytical basis for decision making, they can actually leave final decisions to the business owners closest to the issues. This creates buy-in within the business groups because they are ultimately making decisions rather than being dictated to by an outsider.