Q&A with John McCumber of (ISC)2

Cybersecurity skills are an obvious necessity for any senior information security executive, but nearly as important is the ability to effectively communicate with corporate-level management and ensure their support, approval and financial backing. And that is where many IT experts find themselves lacking.

At RiskSec NY on May 31, John McCumber, director of cybersecurity advocacy, North America, at (ISC)2, a non-profit cybersecurity training and certification organization, will serve alongside Turner CISO Pete Chronis on a panel session that addresses this very issue. The following is a Q&A with McCumber, who previewed his joint presentation for SC Media:

SC Media: You will be presenting on a panel about securing buy-in from senior management. What do you expect/hope will be the key takeaways for individuals attending this session?

JM: A key takeaway would include an understanding of why using key words and concepts correctly is vital for communication. Also, the knowledge that security personnel are always advisors first, and employees second.

SC Media: What is the one must-see moment, talking point or lesson from your presentation that attendees are not going to want to miss?

JM: You absolutely need to understand the basic “risk equations” to know how key terms in cybersecurity are mathematically related.

SC Media: What kinds of training and education does (ISC)2 provide to help senior infosec executives become better communicators and develop collaborative partnerships with executive-level management? What do you see as the “secret ingredients” to fostering a strong relationship with senior management?

JM: There is no “secret ingredient.” There are only effective and ineffective communication skills. (ISC)2 offers lifelong career learning and globally-recognized certifications. Our certifications require adherence to our code of ethics, demonstrable experience, and the knowledge to pass a difficult and lengthy examination that covers six domains. We have over 135,000 members worldwide, and we are expanding our educational benefits to our members every day.

SC Media: Do you find that certain types of infosec projects and initiatives are more challenging than others to secure corporate buy-in? What are the key characteristics of projects that most often succeed in winning C-level approval and what are the traits of those projects that don't?

JM: Certainly. Projects where the risks are not adequately defined tend to be less successful, in addition to those where comprehensive risk mitigation costs aren't laid out for the decision makers. In cybersecurity, there is no “winning” and “losing,” and those bipolar concepts are examples of words that hamper effective communication in the C-suite. If your project doesn't “win,” it's almost never a matter of right or wrong. Executives need to make difficult decisions about where each dollar is spent. They may simply perceive the cost of the cure to be less efficient than living with the disease, and accept the fact that future remediation may be necessary.