So you want to be a CISO - Step #5 "Communicating"

So now we come to the final step, we collected all of our notes and findings and developed our
new budget and strategic vision for upgrading the organization’s Cyber Security strategy. This
strategy coupled, with our prioritized list of security issues, will now need to be socialized
because we need support for implementing the changes that the organization should make. We
will need to communicate our assessment findings – “Where we are presently” from an overall
cyber perspective, and then add our vision “Where we want to be.” Our identified gaps and
issues will be the difference between these two pictures. It is these gaps we need to socialize so
our organization understands the business value in correcting these issues and reducing the risk
and liability to the organization. There are three important processes that make up this step:

• “Listen” to your network

• “Socialize” your security vision
• “Visibility” – make your case

1. “Listen to your network” – In this first of three processes for “Communicating,” you are
going to leverage the human network you have developed in your position as CISO. When you
assumed your position as CISO, you started the evaluation of your Cyber-Security Program with
Step 1 “Meet & Greet.” This first step was about building your human network and the
beginning phases of gathering information, through this network, to assist you in the steps to
follow.

Now that you have your human network in place, you should be continually speaking and
listening to them. The concept of “Continuous Communications” is critical for you as a CISO.
You are no longer the network engineer or security engineer. As the CISO, you are expected to
have a strategic, global view of your organization and with it, an understanding of how your
organization does business. Having this understanding will enable you to orient your security
program to better serve your organization and protect it.

In “Listening to your network,” you should be speaking with your team and discussing with them
what they are seeing working at the baseline “User” level as well as what issues and trends they
see in providing service to the customers. In speaking with your stakeholders, you should be
continuing the discussions from your Step 1 “Meet & Greet.”. What issues are they having? Are
these issues being seen by your team or are they localized? What are your stakeholders
“Needs?” Are they still discussing new innovative services that they want to deploy to external
customers? If so, what are the barriers? Is your team seen as the barrier for deploying this new
technology? Do your stakeholders have ideas to better enhance a current security team
workflow? Over the years, I have found that taking my stakeholders to lunch or out for a coffee
and just listening has enabled me to see areas that need improvement and in their eyes they
become part of my team. I can’t stress this enough, stakeholders are your customers so speak to
them, listen to them, and use their input to improve your cyber-security program.

The last part of “Listening to your network” involves speaking with your peers and speaking
with leadership staff (Departmental and C-Suite). With respect to speaking with your peers,
honestly this should be something you do on a daily basis. I have found my peers throughout the
organization possess a wide range of organizational knowledge that is extremely useful for my
team. Peers will also have insight into the ideas and projects your stakeholders bring forward.
Insight into how recommended technologies could be connected together. Insight into how these
connected technologies could possibly cause issues. It is your peers viewpoints into these
disparate issues that you will truly find critical in executing your plans to effectively deliver
cyber as a business service to your organization. Peers also bring knowledge of projects that are
being managed within their own programs that your stakeholders may be able to leverage,
saving them time and needed funds. The last group I mentioned, leadership staff, is one that as a
CISO you need to listen to for what I call “Organizational Truism.” To me, this is an
understanding of where the organization is truly at in relation to its competitors, in relation to
the fields of business operates in, as well as in relation to the local, state, and federal agencies
that enforce compliance. This “Organizational Truism” is the reality check you need from your
leadership, it gives you context on what security gaps have priority when you are building your
“Security Project Plan.” It also brings context into what projects have a chance at being funded
and which ones you will need to make the case for why they are required and what business
value these projects will bring to your organization when successfully completed.

The core idea I want to bring across as a new CISO is that “Listen to your network” needs to be
continuous and it should never be a one way conversation. You must be able to coherently
express your strategy for Cyber Security to your organization and how each one of your
stakeholders will benefit from cyber being properly implemented and managed by your team.
You must also be able to listen to your stakeholders and adjust your strategy when appropriate.

2. “Socialize your security vision” – in this process it is all about you as the CISO being able to
effectively communicate your vision of Cyber-Security for your organization. Not only must you
be able to communicate your vision (future state), you must also be able to elaborate on the steps
that will be required to get your program to that stable maturity level. In the “Socialize”
process, you will be continually discussing with your team, peers, stakeholders, and leadership
staff about your organization’s current cyber-security level. You should also discuss what
assessments you are conducting and why they are required. I have found it helps to be able to
state the assessments you are conducting on your security program are to give you a baseline or
foundation from which to build on. I have at times stated we are going to get ISO or PCI
certified and have used that as a framework to give my vision of cyber some context to my
organization’s strategic goals.

It is here in the “Socialize” phase where, given that you have completed various security
assessments, you can now start the discussions of security gaps. I use the assessment results
during this time to communicate our “present state” and where we want to be “future state.”
Then I show the “security gaps” or steps that we must correct to get there. I ask my stakeholders
and leadership team for input on prioritizing these steps and in the process of assisting my team
to get visibility into the work ahead.

3. “Visibility, Make Your Case” – this last process of the “Communicating” step is tied closely
with the previous process of “Socialize your security vision.” It is in this final part of
“Communicating” that you make your case for the prioritized security gap and projects that you
need to fund and complete. I have found when “making the case” for cyber-security, it pays to
discuss what reduction in risk the projects will provide to the organization. I have found it is
especially helpful to articulate the increased value or new services these projects will provide the
organization. If you notice I don’t talk about threats, vulnerabilities, or their consequences. I
have seen numerous times when dealing with leadership staff they generally know threats,
vulnerabilities, and their consequences are givens. What they really want to know about your
security projects are, if in fixing these issues, will they provide value or enhanced cyber-security
services to the organization. Leaders are constantly looking at numerous projects across the
organization and they need to prioritize those that will enable the organization to succeed. So
with that in mind, as a CISO, you need to “Make your Case” about how providing budget and
resources to your team will enable the organization to compete and reduce its exposure to risk.
You need to “Make your Case” that with a mature Cyber-Security program as a foundation, the
organization can build on it and deploy new innovative technologies safely and that with a
mature Cyber-Security program, your organization can leverage new technologies and be
successful using Cyber-Security as a business enabler.

Remember this will take time and you will be sifting through and collecting large amounts of
information as you assess your Cyber Security program. I have found during this time to
remember you can’t do it all immediately, use your team, use your stakeholders, and remember
to reach out to your peers for help and advice. Remember it is crucial that you continue to
develop your relationships with your stakeholders, they are your customers and there will be
times when you will need their assistance. Being a CISO is an awesome job. I thoroughly enjoy
the challenges it brings and hope this road-map will provide you with a plan to help you as you
take on your new position.

***All mindmaps for this article is available for download at https://app.box.com/Five-Step-

CISO-Mindmaps