The Security Leader's Communication Playbook
eBook - ePub

The Security Leader's Communication Playbook

Bridging the Gap between Security and the Business

Jeffrey W. Brown

Share book
  1. 328 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Security Leader's Communication Playbook

Bridging the Gap between Security and the Business

Jeffrey W. Brown

Book details
Book preview
Table of contents

About This Book

This book is for cybersecurity leaders across all industries and organizations. It is intended to bridge the gap between the data center and the board room. This book examines the multitude of communication challenges that CISOs are faced with every day and provides practical tools to identify your audience, tailor your message and master the art of communicating. Poor communication is one of the top reasons that CISOs fail in their roles. By taking the step to work on your communication and soft skills (the two go hand-in-hand), you will hopefully never join their ranks. This is not a "communication theory" book. It provides just enough practical skills and techniques for security leaders to get the job done. Learn fundamental communication skills and how to apply them to day-to-day challenges like communicating with your peers, your team, business leaders and the board of directors. Learn how to produce meaningful metrics and communicate before, during and after an incident. Regardless of your role in Tech, you will find something of value somewhere along the way in this book.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is The Security Leader's Communication Playbook an online PDF/ePUB?
Yes, you can access The Security Leader's Communication Playbook by Jeffrey W. Brown in PDF and/or ePUB format, as well as other popular books in Commerce & Communication d'entreprise. We have over one million books available in our catalogue for you to explore.


CRC Press


Communication Foundational Skills

DOI: 10.1201/9781003100294-1
This section of the book walks you through “just enough” communication foundational skills. While it may be tempting to jump to Part 2 of the book, much of that section has been built on the material found in Part 1. These foundational skills include material I wish I had understood earlier in my career and information that I think you will genuinely find useful.
We will cover all the basic foundations that you need to excel in your role: written, verbal and even visual communication. This section covers foundational skills, acclimating to new companies and communication “superpowers” like learning to say no and negotiating like a boss. There’s a lot more and I promise to try and serve you to the best of my abilities. Even as a communication expert, I learned a lot by writing this section and I hope you will also learn a lot by spending some time with me in this journey.

1 Foundational Communication Skills

DOI: 10.1201/9781003100294-2
The way we communicate with others and with ourselves ultimately determines the quality of our lives.
~ Anthony Robbins
The basis of all soft skills is strong communication. To discuss communication, it’s helpful to first define the word. Let’s use a working definition of communication: “to express oneself in such a way that the message is readily and clearly understood.” This sounds simple enough. We have been communicating all our lives. It’s typically something that just happens, which is why many people never think about how effective they are at it or try to make improvements. This is a mistake.
The word “communication” comes from the Latin word communis, which means common. Therefore, when we communicate, we are trying to establish “commonness” with someone. In other words, we are trying to share information or an idea with someone and get everyone on the same common ground and create a mutual understanding. This definition is helpful, because obviously the point of communication is to connect with someone and get an idea across to them. The only problem is that often in communication, we use the methods that suit ourselves best. We use our preferred communication styles, jargon and mediums rather than the recipient’s. A lot of communication doesn’t go well because it is set up that way right from the start.
To communicate effectively, you need to consider factors ranging from people with different experiences than your own, the setting, verbal as well as nonverbal cues and the intended meaning versus the perceived meaning of a message. There’s a lot working against successful communication. Distraction, work overload, cultural and language barriers can all interfere with how your message is received.
Communication is ultimately an abstraction of a thing, event or an idea, and not that thing itself. I can tell you what it was like being in downtown New York City on 9/11, but it will not convey the same experience for you as it did for me. Communication attempts to share a concept or experience that exists in your head and tries to get it into someone else’s head. No wonder getting communication right is so difficult!
In my two-plus decades working in information security I have watched the role of senior security leader evolve from someone who spends most of their time working with fellow technologists to someone who must communicate with all levels of an organization, from the technologist all the way up to the CEO, board of directors and everyone in between. A senior security leader is expected to have a technical background, but the role has also shifted into a risk-savvy business executive capable of leading and influencing across the entire organization (Figure 1.1).
FIGURE 1.1 Good communication is critical for cybersecurity leaders. You will need to communicate with every single employee in a company at some level.
Unfortunately, most people in these roles never receive communication training in their career journey and many struggle with communication challenges. Poor communication skills undermine strong technology skills and will keep you from being fully effective. The more senior you get in your career, the less you are expected to have the same “hands on” technical knowledge as the people who work for you and the more you are expected to be a great communicator and someone who can interact with all levels of the organization. You could write, speak and present all day long, but unless you know how to reach your audience, you don’t have the communication skills needed to help provide adequate security to your company and be part of its success.
All leaders need to be good communicators. This is true for CISOs, CEOs and any senior business executive. If you have reached this level, chances are you oversee a significant area that includes people and company resources. In fact, the larger your team and scope, the more you will find that jobs like the CISO role are weighted more towards communication than the technical details of cybersecurity.
History has shown that keeping the cybersecurity function in isolation is not a successful strategy. Information about the security program needs to be shared across all departments and at all levels. Everyone from technical staff to marketing and business staff and all the way up to the CEO and board of directors are responsible for their part in supporting the security program and understanding, at least on a basic level, how security works and operates.
This is what makes communication for a security leader so hard. You live in two worlds: the business world and the technical world. And the technical security world you live in is really a collection of technical fields, including applications, networks, policy, databases and security, which can all be broken down into ever-smaller subdivisions. Each of these areas could take years to master individually.
You’ll need to learn how to frame the conversation in terms that executives understand when you’re working with business leadership. When you’re working with technical peers, you’ll need to present specific technical controls that need to be in place. These are very different conversations. Finally, when working with your team, you will need to turn information security into something that is relevant to their role and be a mentor, a teacher, a coach and a leader.
This section of the book lays a lot of the foundation you will need for Part 2. These are important skills that you should not skip over. Even if you think you know them, are you practicing them? I will cover topics like active listening, being concise and how to think like a businessperson, so you can better connect with them.
It can take a lot of effort to communicate effectively. But spending time learning and practicing stronger communication pays dividends. Whether you’re speaking, listening, writing or reading clear communication will greatly enhance your experience and open new opportunities for learning from and connecting to other people.

The Security Communication Manifesto

When you wake up in the morning, tell yourself: The people I deal with today will be meddling, ungrateful, arrogant, dishonest, jealous, and surly.
~ Marcus Aurelius, Meditations
It’s helpful to be realistic about business communication. It’s bad out there. Really bad. The quote above, from Stoic philosopher and Roman emperor Marcus Aurelius, was one that he used to set his daily mindset and expectations. Rather than wishing that things be different or pretending that they would be ideal, he set his expectations every day that things would likely be difficult. And that was OK and to be expected. You see it, accept it and you keep going anyway.
Using this as a starting point, here are some fundamental truths about communication that you should consider.
  1. We are all distracted. Assume that the people you are communicating with have plenty of other things they’d rather be doing. So, get to the point!
  2. Security is confusing for non-technical people and their inclination will be to tune out if you don’t make what you’re saying relevant and interesting to them. So, make it relevant and interesting!
  3. Security is mostly bad news. People will want to shoot the messenger; it’s human nature. Don’t be surprised if people aren’t thrilled that you’re here to talk with them.
  4. No one gets excited when your email arrives in their inbox. They will read your messages quickly and then just as quickly delete them or lose them in a mountain of other messages. There are a hundred others that arrived before you. Make it easy for them and don’t be part of the email deluge.
  5. Hardly anyone listens, but it’s still up to you to find a way to get and maintain their attention.
  6. Most people you talk to are working on their response or thinking about other things rather than listening to what you’re saying. You are going to need to be engaging enough to make them want to pay attention.
  7. No one wants to read your policy/standard/guideline. Make it easy to digest anyway. Don’t let length or technical jargon be their excuse for not understanding it.
  8. The report that you spent hours compiling will likely be scanned quickly or not read at all. You still need to put your best work forward. You are a professional and you always want to prove it by producing quality work.
  9. People will avoid difficult conversations like the plague. Guess what? You’re going to mostly have difficult conversations as a security leader. Don’t worry though, you’ve got this.
  10. You are going to have to repeat yourself between 6 and 20 times for some people to finally “hear” your message. Accept it. You probably do it yourself sometimes.
This may not sound like a rosy picture, and it isn’t. But it’s reality and you need to work with reality. The techniques and tips outlined in this book will help you overcome some of these obstacles and increase the chances of your message getting through. I’ll summarize a bunch of them right now for you in very simple language: make it easy for your audience, not for yourself.

Communication Scenarios You Will Face

As a senior security leader, you will be faced with many communication scenarios. Throughout the course of your day, you might find yourself talking to technicians, business executives, your team, financial professionals, vendors and even the board of directors. You oversee a critical function and you have been given a lot of resources (or at least some resources!) to accomplish your mission. You are going to have to regularly report on progress, issues and roadblocks in a way that everyone understands.
You will be expected to speak up in meetings and present to business audiences, and you may even find yourself in public speaking engagements, podcasts or interviews. If you are like most of us, you will also spend a disproportionate amount of time writing, responding to and reading emails. You will probably have a team, and in some cases a big team. You need to communicate with them as well. Being able to communicate clearly and concisely will help you ensure that these resources are lined up, that the company understands the good work you do and the business understands how you help mitigate their cybersecurity risks and enable them to achieve their core mission. Good communication will make acquiring funding for your program easier as well, because you will be speaking in business terms, not technical terms.
Brushing up on communication skills is ...

Table of contents