In this video, Kip Boyle discusses how to communicate compliance information and improvements in an organization's information security program. Learn how to communicate your cyber risk work to your boss and executives.
- [Teacher] Your boss and executives have three big communication needs from you on an ongoing basis. They need to know current status so they aren't surprised by bad news so they can get you the resources and the cooperation of other teams that you need. And because they own the risks you are managing, they need you to bring risk decisions that are high-priority, timely, and actionable. Finally, they need to be able to tell the organization's cybersecurity story to various people, sometimes on the spur of the moment.
Let me give you some general guidance on how to meet these needs. First, find ways for your program to help your boss and executives achieve their current goals. If they want to increase productivity, for example, be sure to highlight what your program is doing to help. But don't compromise the integrity of your program to do it. Also, find out how they want you to communicate with them. You can ask directly, or figure it out by observing. Do they like to talk through problems, or do they prefer to read about them first? Are they analytical and detailed, or are they quick decision makers who value intuition over data? Speaking of data, try to present your data in a way that's similar to the other data they already look at and understand.
Sometimes your boss isn't able to be specific about their communication needs. In that case, as you create new reports, ask them for feedback well in advance of the deadline. You can also talk with other people who regularly report to them to find out what works. Don't be surprised if they change new reports a lot, either all at once or over time. Whatever happens, keep up with them. Now let's get a little more specific. The first communication need is current status. Give your boss regular updates on your four goals: meeting customer expectations, being cyber-resilient, being compliant, and supporting your executives.
Be sure to add anything else that's important to them. Their second communication need concerns decision-making. You need to regularly set up decisions for them. But remember, they own the risk, and your job is to help them make a great decision. Here's how to do it. Define the problem using language they understand. Then, provide three or four options in a summarized format. The options should offer a range of conservative to aggressive solutions. Be sure to focus on costs and benefits when you present options.
One note of caution: be careful you don't make decisions for them unless they have explicitly delegated that authority to you. Now let's turn our attention to their storytelling needs. I've developed a tool called the cybersecurity executive communicator. Anyone should be able to use it to tell their organization's cybersecurity story in about 15 minutes. The communicator uses four quadrants on a standard letter-sized piece of paper. After populating the quadrants with data, you tell your story by stepping through them one by one in this order.
Start in the upper-left corner with the summary scorecard, and point out your top strengths, then point to the graphical version in the lower-left. After a few moments, move on to the upper-right and quickly review your top five risks. Then drop down to the project portfolio visualizer in the lower-right. This is where you want to spend most of your time talking about the work you're doing to close your gaps. We've seen how to create all four of these visualizations in previous videos. But feel free to use different graphics as needed.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance