Home » Security Leadership » Exec. Communication

Let's Talk: Security Leadership and Executive Communication

The CSO's guide to strategic executive communication

When Hancock joined Exodus, the relationship between security and finance was rocky. Finance folks viewed themselves as the guardians of the purse and Hancock's group as upstarts. Assiduously, Hancock started getting finance involved in security decisions so that they could learn the factors on which decisions were being made and thus understand the reasoning behind them. It was a carefully tailored education process that paid dividends for both sides. Later, when Hancock had to buy 800 firewalls, the finance department negotiated a leasing arrangement that saved his group a lot of money.

CSOs looking for someone with whom to commiserate over the difficulty of getting business executives to pay heed to seemingly arcane policies and procedures could do worse than hoist a few with the corporate counsel. Kingsley Wallman, vice president and associate general counsel with Exodus, notes parallels between the communication challenges faced by the CSO and those facing the legal department. Both groups are perceived as having been built around highly specialized disciplines that seem distant from the realities of business. And both call for the ability to communicate and interpret their fields to sometimes disinterested executives.

Wallman suggests that because CSOs must often communicate about conceptual and highly technical topics, they should make an effort to relate to their fellow executives in person. "A CSOand I think Bill [Hancock] would agreeis often better served to pick up the telephone instead of sending an e-mail, and would do even better to put down the handset and walk down the corridor," he says.

And it's not enough to just go blabbing horror stories. What's needed is to put things in context. "It's translating threats into the risk to business and communicating that you're working with them, not against them, to come up with solutions," says Rick Lacafta, chief information security officer with Travelers Insurance.

Like an external security vendor, the CSO needs to market his group's services across the enterprisea skill few CSOs have masteredto get the message out about what it can do for business units. Building a security plan is only the beginning. The CSO must then communicate the project deliverables and the game plan to the rest of the organization, and educate and evangelize about the benefits that each constituency will receive from the plan's implementation.

When talking to other senior executives about security, focus the message on their particular areas of responsibility and accountability. Show them how security can achieve one of their objectives. A CSO who effectively communicates his role to the enterprise will no longer have to chase down resistant project leaders and executives. Instead, the executives will begin to seek out the security team and value its contributions.4 Getting to Yes Frequently, security decisions rest upon the CSO's ability not only to communicate effectively but to negotiate well. Risk management is an imperfect art, and security vulnerabilities change by the day. Much of the CSO's time is spent negotiating toward solutions, both temporary and long-term, for unexpected vulnerabilities. Christiansen points out that the key to doing this well is to first reassure internal customers that your goal is to find a "cost-effective solution to the business problem." Translation: This is about solving a business problem, not breaking your budget with some big-ticket technology toys. "Next, as in any negotiations, understand their point of view, motivations and overall objectives," says Christiansen. "More often than not, given equal understanding, a way to accomplish both goals can be found." The sales technique of creating a "win-win" is a good goal to have, but if the security issue at stake is critical enough, CSOs can't afford to settle for dangerous compromises that will place the company at risk.