Home » Security Leadership » Exec. Communication

Let's Talk: Security Leadership and Executive Communication

The CSO's guide to strategic executive communication

To combat the perception that security is divorced from the business world, Bill Boni, Motorola's chief information security officer, has even gone so far as to shun the usual moniker "IT security" in favor of the more business-friendly title "information protection." The goal is to position the department as the protector of information assets in all forms, whether it's customer data housed in a server or confidential contracts in a sheaf of papers.

Talking in business terms with executives can also be a tremendous asset in advancing the CSO's agenda, which is often bogged down by the perception that it's too technical for business executives to understand or to be bothered with. "I've seen too many information security practitioners fall short in their role because what they really love is the technology," says Boni. "They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives' insight, experience and judgment can be engaged, the executives are already disengaged. They conclude that security is at a level that's inappropriate for their consideration."

The better tack, according to Boni, consists of four key elements: Understand the business, understand what makes it successful, identify the factors that can put that success at risk, and then find ways of managing that risk through technical, operational or procedural safeguards. Use that knowledge for your conversations with business executives.

Working with business executives is easier when you also arm yourself with knowledge of the initiatives that are under way in their business unit and the challenges each executive faces. It's helpful to have a network of sources you can draw upon to discuss threats, current projects, and any concerns or feedback that business units may have about security usability. These individuals can also act as the CSO's evangelists throughout the enterprise, spreading the word about new policies and threats.3 Practice Your DeliveryAs anyone who's ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Hancock took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was to do an actual stand-up routine at The Improv, New York City's renowned comedy club, on a Friday night. "It was one of the most horrifying experiences I think I've ever been through," says Hancock. "You get up in front of an audience, half the people there are probably inebriated in some fashion, and you've got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don't know you from nobody." The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it's important to focus on how you communicate as well as what you communicate.