Back in December, I attended an event that included a large number of security executives from various federal government departments, and what materialized over the course of the meetings were more than a few excellent discussions on the topic of how to better connect the efforts of the security teams to the specific missions of their respective agencies.
Aside from the never-ending task of securing critical systems and the sensitive data they contain, one of biggest and arguably most difficult challenges for leadership is effectively communicating the value of security to all parts of the organization.
Key to this effort is first recognizing how to create the opportunity to present the information security value proposition, then knowing how to craft the message so that it is accessible and actionable to a diverse audience, many of whom may still believe security efforts to be tangential to the organization's central mission.
After chairing multiple boardroom discussions with several dozen CISOs, CSOs, CIOs, etc. who spoke openly about the obstacles they face in communicating this fundamental but novel notion, one specific issue consistently emerged: finding the right “translator” within the organization to make the case.
An effective translator is one who not only possesses the acumen required to understand information systems and security protocols from a technical perspective, but who also has the capacity to communicate the “why” of security to a non-technical audience in a way that truly resonates.
The ability to translate the value of security as a core aspect of an organization's mission – not as a separate function divorced from the organization's purpose – is an essential skill for the success of information security teams now more than ever, and the need to effectively connect security directly to the business mission will only continue to grow in importance.
As the conversations at the event progressed, we were able to identify some key strategies for building these translation skills within our teams.
During the hiring process, we look at specific competencies among the candidates for a position, so why not also look for a candidate's ability to effectively communicate the principles underlying security as a central business function or goal of the organization?
For those organizations that are not in the position to seek out new staff who have the prerequisite communication skills, consider identifying existing personnel who already exhibit the right qualities, and offer them the opportunity to engage in training to further develop these abilities.
Often the inclination is to take a technology wonk and try to train them to speak the language of business risk, but the general consensus among the group of attendees was that it may be more effective to take someone with a strong business background and train them on the technologies behind an organization's security initiatives, then allow them to go back to their tribe and make the case for security as a business objective.
Alternatively, it was suggested by more than a few participants that it may be advantageous to identify someone in a compatible role who is well suited to take on this translation task and repurpose their position in the organization to include this responsibility. Potential candidates for this approach include:
- Internal audit and/or IS audit staff: They already know how to deal with both the tech and business management teams, and they have a thorough understanding of risk mitigation and applicable controls.
- Marketing staff: Yes, that's right, the marketing staff. One of the federal agencies participating in the discussions found great success in tapping its marketing team to create “Executive Dashboards” to help with the translation. This agency had the reporting team interview the very executives who would be consuming the reports, and used the information it gleaned to develop crisp, clear dashboards that actually excited the execs.
The last approach identified is simply to “be lucky.” This isn't necessarily a repeatable practice, but nonetheless a good number of organizations indicated they just happened upon people within their organization who already possessed these types of translational skills. Be observant and leverage the innate abilities of your team members.
So how do these strategies and suggestions compare to your own experience in attempting to better connect security to your organization's mission? Is a communication skills gap impeding your organization's success when it comes to making the translation? Or, if you've already solved this problem in your organization, what were the factors that were instrumental in bridging the gap?
This event in December underscored the fact that many are just beginning to address these challenges, and through these sorts of discussions and the sharing of new ideas, it is clear that there are several viable approaches to finding the right persons to communicate the business value of security.
You just have to find the one that works best for your organization.