Let's Talk: Security Leadership and Executive Communication

The CSO's guide to strategic executive communication

1 2 Page 2
Page 2 of 2

When talking to other senior executives about security, focus the message on their particular areas of responsibility and accountability. Show them how security can achieve one of their objectives. A CSO who effectively communicates his role to the enterprise will no longer have to chase down resistant project leaders and executives. Instead, the executives will begin to seek out the security team and value its contributions.4 Getting to Yes Frequently, security decisions rest upon the CSO's ability not only to communicate effectively but to negotiate well. Risk management is an imperfect art, and security vulnerabilities change by the day. Much of the CSO's time is spent negotiating toward solutions, both temporary and long-term, for unexpected vulnerabilities. Christiansen points out that the key to doing this well is to first reassure internal customers that your goal is to find a "cost-effective solution to the business problem." Translation: This is about solving a business problem, not breaking your budget with some big-ticket technology toys. "Next, as in any negotiations, understand their point of view, motivations and overall objectives," says Christiansen. "More often than not, given equal understanding, a way to accomplish both goals can be found." The sales technique of creating a "win-win" is a good goal to have, but if the security issue at stake is critical enough, CSOs can't afford to settle for dangerous compromises that will place the company at risk.

The last technique for effective advocacy is to ensure that executives and other employees can easily understand security policies and procedures in written as well as verbal form. At Merrill Lynch, Bauer requires his security staffers not only to think like businesspeople, but also to communicate like businesspeople. He instituted a rule within his group that IT security documents be brief, be free of dense technical jargon, and read like crisp executive summaries.5 Got Clout?Few CSOs get their marching orders directly from the chief executive. More often than not, they report to the CIO. But regardless of reporting structure, CSOs must make sure that they can escalate an issue to senior management if the situation warrants. "Make sure you have authority," says Mary Ann Davidson, CSO for software-maker Oracle. "Responsibility without authority is frustration." Whether validation comes from the CIO or CEO, the word needs to circulate around the executive suite and throughout the company that the CSO role is important.

There will be times when other executiveswhether innocently or nottry an end run around the security group to get a business goal accomplished in the fastest, cheapest way. CSOs can take steps to thwart such attempts: The first is to institutionalize a policy requiring security sign-off in the design phase for all projects that involve a major change to infrastructure or an application. The document should list all the alternative mitigation strategies and the risks to the business of not implementing the stated requirements. The business unit executive can sign off on a decision to ignore the security group's proposed remedy and accept the risk. That is the approach GM has taken under Christiansen's direction. The signed documents are provided to the internal audit group, which can step in and flex its regulatory muscle if the agreed-upon policy is in any way violated.

Exodus's Hancock prefers a less-regimented technique that he calls security guilt. He holds a meeting with the responsible parties during which he appeals to their intellect and ethics and explains the risks of not including security in the initiative. "Usually people do want to do the right thing, securitywise," he says. It's just that they "may see security folks and procedures as an impediment to getting something done. I try to work out the issues so that they feel security is backing the project, not trying to kill it."

Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle's Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. "People ought to be thanked for doing their job more often," she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation instead of barking out orders and throwing their weight around. "Business is personal," Davidson says. "It's not being manipulative, it's just that you catch more flies with honey."

Copyright © 2002 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline