CISO series: Partnering with the C-Suite on cybersecurity

In my last blog, we looked at five communication techniques that can help engage business managers in the work of cybersecurity. This week, we’ll look at how to use those techniques to bring the C-Suite into the conversation.

Not too long ago, I was speaking with the CIO of a large company (some details have been changed to protect the innocent) about one of my favorite topics: how to define security policies that balance user productivity and business risk. Before long, the CIO said, “Trust me, I know all about that.” I stopped talking and started listening. He proceeded to tell me about an incident from a previous November. Apparently, during a small window between meetings, he decided to take advantage of the free time to do some online holiday shopping. We’re all crushed for time, he knew exactly what he wanted, it took just a few minutes, and then he was off to his meeting. Only he didn’t make it very far before the head of security approached to report a security policy violation. “Can you believe it?” The CIO said. “My online shopping was flagged!” I had a feeling I knew where this story was going. “I got flagged for violating my own policy!” he said.

The CIO then explained, “It was the middle of summer, and we had just had a small security scare. At the time, the only thing I cared about was doing everything in our power to prevent a bigger incident from happening. By the time the holidays rolled around, I’d forgotten all about it.” To balance employee productivity, satisfaction, and corporate risk the company decided to allow access to a few selected shopping sites during November and December.

His story got me thinking. Could the company have established a more flexible policy back in the summer if the policy team had properly explained the pros and cons of the restrictive “no shopping ever” policy? Maybe. There is no way to know definitively. One thing’s for sure: the experience itself clearly made an impression on the CIO. I’m a big believer in learning through experience, but since we can’t learn every lesson by living through it, there are opportunities to have productive conversations with executives that can increase engagement and mitigate these sorts of issues.

Five communication strategies for engaging executives and the C-Suite with security

Using the same proven communication strategies to frame up security for business managers that we shared in the last blog, I’ll show how you can apply those techniques to your conversations with executives and the C-Suite. Here’s a hint: it all starts with the same underlying concept. No matter how high up in the organization she or he is, or how many people or responsibilities they have, your CIO is human—and so is your entire executive team. If you apply communication strategies that have been proven to work outside of cybersecurity, you can get your CIO and other executives more involved in security decision-making.

• Feel—One thing that my conversation with the CIO demonstrates is the role that emotions play. The original policy to lock down all ecommerce on company devices and networks was driven by fear. Emotions are understandable, but they can also drive us to make rash decisions that we regret later. You can diffuse an emotional situation by listening first. Try to understand where the CIO is coming from before you respond to his or her emotions. And above all, resist the temptation to scare an executive into taking security seriously by throwing scary statistics at them. That will only backfire.
• Focus—CIOs and other executives are bombarded with decisions and issues all day long. It can be challenging to get them to focus on your agenda, but it’s important if you want them to make smart security decisions. Set a meeting for a quiet period in their calendar or have a planning meeting set aside where it’s agreed cell phones are off and brains are fully engaged. It’s amazing what we can accomplish when we’re not distracted.
• Slow down—This goes hand in hand with Focus. The timing of and the amount of time for the discussion can also dictate the outcome. Allow space for questions and thoughtfulness. I’ve led “Executive Introduction to Threat Modeling” classes using implantable medical devices (IMDs) and fitness wearables as examples. In the first five minutes most of the class leans toward thinking the IMDs pose all the risk. But once they’ve taken the time to threat model both devices for themselves, they realize fitness wearables can be on-trivial threat vectors.
• Simplify—Tailor your conversation for your audience. Tech speak may resonate with a CIO, but other executives will get lost if you get too techy. And no matter who you are speaking with, it’s important that you speak in the language of business goals. How do your proposals and ideas best advance the goals of the executive that you are speaking with? And don’t be afraid to engage the C-Suite in the activity of simplifying. If you ask the executives to think about how they’d explain ransomware or phishing to a very non-tech savvy relative, they’ll be able to connect more closely with the technical risks and also, hopefully, have a bit more empathy for you, the security geek, who’s tasked with explaining tough security risks to them.
• Spark—Tap into the incredible power of “why.” Why does your company do what it does? Make sure your security pitch aligns to this overall mission. Explain how your security efforts get the company closer to achieving its vision. Go back to your corporate vision statement and ask the execs if a proposed policy or control ultimately supports that mission. When a CEO participating in an incident response simulation opts to report an incident, not because it’s legally required, but because “our corporate values mean radical transparency with our customers,” you’ve sparked real connection between technical risk management and the business.

Experience is one of our great teachers. As the CIO in this story learned, some security rules look good until they get in the way of executives. And some security measures may seem costly and unnecessary, but when weighed against massive reputational damage or material financial loss, those investments calibrate as frugal and wise. You don’t have to make your CIO a cyber ninja to have a productive conversation. To effect real change, engage executives as human beings in the cybersecurity policy and strategy decision-making process.  You can learn more at our CISO series page.