In this video, Kip Boyle discusses how to communicate compliance information and improvements in an organization's information security program. Learn how to communicate with other stakeholders about their cyber risk work.
- You will primarily communicate with other stakeholders to inform and persuade them about information security. As with your boss and executives, you need to understand who these other stakeholders are, and how they consume information. Also, consider how many people you need to reach and where they are. The bigger your organization, the more help you'll need to communicate effectively. To convince staff to work more securely, be specific and ask them directly. To do that, get help from more experienced people to learn how to use the existing channels of communication in your organization.
This tactic will save you valuable time and political capital. Unless you work in a relatively small organization, you'll need to broadcast information to staff rather than meet with them individually. You can use email to send out your messages, but email is easily ignored, so always add at least one other channel to increase the number of people you reach. For example, video is a very cost-effective and engaging channel. If possible, also get the help of someone who is an expert in organizational change management, because they deeply understand how to encourage people to adopt new ways of doing things.
One very effective method is to ask supervisors if you can join them at one of their regular staff meetings to present your information. However you broadcast your messages, it's crucial to get all first-line supervisors to reinforce your expectations directly with their staff. Why is this important? Because the supervisor sets the tone for what individual contributors take seriously, so if you want supervisors to support your need for good cyber hygiene from everyone, everyday, the way to start getting support from them is to first get the support of the supervisor's manager.
Once you have it, then talk directly with the supervisors. Always make sure supervisors know in advance about the messages you're planning to send. Otherwise, they can't effectively support you. Give them time to absorb what you need them to say to their staff. Explain why daily cyber hygiene is in their best interests. Then, create space for them to ask questions and really get on board. But ultimately, you still need to send your messages, so don't let the supervisors completely stop your progress with endless questions and objections.
Obviously, this will take a good amount of planning on your part, which is time consuming, so be prepared. It's also crucially important to have the support of your peers, especially if you hold a management position. But there's no one successful approach to get support from all of them. The dominant culture of your organization will strongly influence whether your relationships are collaborative or political in nature. Your personality, values, and skills will play a major role in how hard you have to work to be successful getting their support.
If you need help devising a strategy, get a mentor who really knows the culture. Finally, if you ever find yourself needing to talk with customers or the media, only do so with help from your public relations or corporate communications team.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance