Home » Security Leadership » Exec. Communication

Let's Talk: Security Leadership and Executive Communication

The CSO's guide to strategic executive communication

The last technique for effective advocacy is to ensure that executives and other employees can easily understand security policies and procedures in written as well as verbal form. At Merrill Lynch, Bauer requires his security staffers not only to think like businesspeople, but also to communicate like businesspeople. He instituted a rule within his group that IT security documents be brief, be free of dense technical jargon, and read like crisp executive summaries.5 Got Clout?Few CSOs get their marching orders directly from the chief executive. More often than not, they report to the CIO. But regardless of reporting structure, CSOs must make sure that they can escalate an issue to senior management if the situation warrants. "Make sure you have authority," says Mary Ann Davidson, CSO for software-maker Oracle. "Responsibility without authority is frustration." Whether validation comes from the CIO or CEO, the word needs to circulate around the executive suite and throughout the company that the CSO role is important.

There will be times when other executiveswhether innocently or nottry an end run around the security group to get a business goal accomplished in the fastest, cheapest way. CSOs can take steps to thwart such attempts: The first is to institutionalize a policy requiring security sign-off in the design phase for all projects that involve a major change to infrastructure or an application. The document should list all the alternative mitigation strategies and the risks to the business of not implementing the stated requirements. The business unit executive can sign off on a decision to ignore the security group's proposed remedy and accept the risk. That is the approach GM has taken under Christiansen's direction. The signed documents are provided to the internal audit group, which can step in and flex its regulatory muscle if the agreed-upon policy is in any way violated.

Exodus's Hancock prefers a less-regimented technique that he calls security guilt. He holds a meeting with the responsible parties during which he appeals to their intellect and ethics and explains the risks of not including security in the initiative. "Usually people do want to do the right thing, securitywise," he says. It's just that they "may see security folks and procedures as an impediment to getting something done. I try to work out the issues so that they feel security is backing the project, not trying to kill it."

Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle's Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. "People ought to be thanked for doing their job more often," she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation instead of barking out orders and throwing their weight around. "Business is personal," Davidson says. "It's not being manipulative, it's just that you catch more flies with honey."