Stepping up your communications
Move your words and style up and down a ladder to match your audience
When discussing a current cybersecurity issue, would you use the same terminology and style when speaking with your CEO as you would when speaking with a senior analyst in your Security Operations Center? Although you would be discussing the exact same topic with both, you would (hopefully!) not using the same approach.
How well you communicate with different levels and groups is a major factor in how successful you can be as a modern CISO. Twenty years ago, most CISOs were subject matter experts who discussed technical issues in depth with audiences that were mostly within the IT world. Today, most CISOs still have high technical knowledge, but their audience has changed dramatically – in addition to IT partners, they must also regularly communicate with business leaders and the board. CISOs also provide critical input to public disclosures, communications with cyber insurance carriers, responses to audits and regulators, and possibly even testimony in civil litigation.
Assignment: On your way home tomorrow, take a moment to recap and assess the work-related conversations you had over the course of the day –
Who did you speak with?
What terminology, acronyms, and jargon did you use?
What did you assume your audience’s technical knowledge to be?
Did your discussion center on technical or business issues?
How did you do - did you speak on the same track in each conversation or did your communications adjust to your audience?
The most effective communicators adjust their message and style to their audience. An analogy for the idea that I love is a ladder, which is used to illustrate this management concept in the Model-Netics® management system (www.modelnetics.com) “Ladder of Abstraction” model. The concept is that you should recognize that individuals and groups with which you communicate have different levels of knowledge on your topic; and like going up or down a ladder, you need to adjust your communications up or down to match.
Speaking at the wrong rung on the ladder can undermine your message and reduce your credibility, because your message has a lower chance of connecting. For example, presenting your board of directors detailed slides of statistics on types of attacks or vulnerabilities, using undefined acronyms, and assuming they understand references like “Cloud” or “Zero Trust” will likely make their eyes glaze over (and have you removed from the agenda of their next meeting).
To speak at the right rung on the ladder, put yourself in your audience’s seat:
What is their role
What is their background on the topic
What information do they need to know to perform their role
What information drives your purpose for communicating
For example:
A senior analyst in your Security Operations Center – Focuses on identifying and responding to cybersecurity threats, has deep technical knowledge, knows relevant acronyms and background on cybersecurity, and needs details and a sense of urgency.
A board member - Provides oversight of how management is handling cybersecurity risk. Because they look at the big picture of company risk, they need higher level, concise communications focused on business risks and impacts. They likely do not have deep technical knowledge, understand many acronyms, or how cyber attacks unfold – nor do they need to.
When talking with senior business leaders or the board –
Focus on business impact and translate technical jargon into business terms.
Use data to quantify risks and show potential financial losses or operational disruptions.
Present solutions, not just problems - Propose actionable solutions for the risks that you call out.
Tell stories: Use real-world examples of cyber incidents to illustrate your points.
Be concise! Respect their broad responsibilities and busy schedules by staying on point.
CISOs have important information to deliver. Think through your message and your audience and ensure you utilize the right words and delivery. Take complex technical concepts and translate them into actionable insights for business leaders and communicate with your technical teams using the specific language of cybersecurity.
Hold Fast and Stay True!