Key Takeaways: The Security Leader's Communication Playbook

"The Security Leader's Communication Playbook," by Jeffrey Brown, CISO of the State of Connecticut, offers practical insights and solutions for the modern CISO seeking to bridge the gap between the data room and the board room. Our recent conversation yielded 8 key takeaways on leadership and communication from the veteran infosec leader, who has been operating at the frontlines of cybersecurity since the mid-90s. Also, learn why the future of cyber is more Lord of the Rings than Army of Darkness. This one is fun and informative!

‍

The Information Security Leader's Communication Playbook

Jeffrey Brown, CISO of the State of Connecticut, author of The Security Leader's Communication Playbook, due out Sept. 13, 2021[/caption]Author a cybersecurity book? The idea kind of came out of left field for Jeff Brown, CISO for the state of Connecticut. Some co-authoring aside, he had been too busy leading information security departments at major financial institutions like AIG and GE Capital for the past two decades to sit down and write. But after accepting Connecticut’s first CISO position, Jeff was approached by an editor for a major publisher. They got to talking and realized that he, as a communications-turned-IT-and-infosec leader, had unique insights into the CISO’s evolving C-suite role.“Leadership at all types of organizations—Boards of Directors, state governors, CEOs--usually have simple questions they need answered,” said Jeff, a communications and journalism school graduate who transitioned from publishing to IT in the mid-1990s. “Are we secure? Could the problem that happened with our peers or with the competition happen here? What can we do about it? These are simple questions, but they can be hard for cyber people to answer because they lack the soft skills and the ability to communicate risk at a high level. The cyber guys may say, ‘We’re never secure,’ and then rattle off all these scary statistics and talk about APTs without realizing that the audience didn’t spend their whole career learning this stuff and they aren’t following what you’re trying to tell them.”Packed with tips on building soft skills, killer metrics, board-level communication strategies, sustainable awareness training, and more, “The Security Leader’s Communication Playbook” is a fun and fluid read, offering frontline practical insights and solutions for the modern CISO. Due for publication by Routledge Sept. 13, 2021, and weighing in at 388 pages with 17 chapters (plus intro and conclusion), it promises to be a go-to title for information security leaders looking to bridge the gap between the data center and the board room.“I see people getting called in front of the board of directors and they don’t really know how to handle themselves,” said Jeff. “I’ve seen guys go into a 20-minute board meeting with 50 slides and try to present all this detailed technical stuff and it just doesn’t go well.”In 2008 he saw just how powerful communication can be for cybersecurity leaders. After the global financial crisis, he needed to get buy-in at the highest levels of a major financial institution for a sizable investment into a security program overhaul that few understood. He managed to build a successful case using the principles outlined in his book, helping one executive at a time understand how important security was to the business.I sat down with Jeff recently, and we had a delightful conversation covering the topics of his book. Here are some key takeaways.

‍

1. The Security Leader's Communication Playbook: Know your audience

“Put yourself in the audience’s shoes first and tailor your message to them: Are you telling them what they want to know, what they need to know, and in a way that they can understand and act on? For instance, try to understand where the Board of Directors are coming from. They are on the hook for something kind of scary with cybersecurity that they don’t really understand, and then security people come in with slides on APTs and all this technical security stuff with acronyms they’ve never heard of and statistics without any context, and all they want to know is, ‘What does that mean? Are we secure? What’s our risk? How do we get secure?’

2. Bottom line up-front

“I’m a strong believer in, ‘bottom line up-front’ or BLUF. It’s a military term but it’s widely accepted elsewhere. The C-level is worried about cash flow, operations, and yes, cyber is a concern. But ultimately what they really need to know is that someone has security covered and it’s progressing along with the general business and operations.”

‍

3. So What?

“It’s easy to overcomplicate security communication. You spend your whole career learning all these technical aspects and monitoring them every day. It’s too much stuff for anyone to absorb in a single meeting. Tailor your message to your audience’s focus and ask the question: ‘So what?’ That’s what they really want to know: ‘Okay, we have 30 servers, and 500 vulnerabilities per server: So what? What does that mean? Are we secure? How do we get secure?’ Security people sound too many alarms, but business people need to know, ‘So what?’ and understand how it relates to the business.”

‍

4. The language of risk

“At the end of the day, security people are risk managers. When we communicate risk, we can put it in high-level terms that answer these questions:

What are our most catastrophic risks?
What’s most likely to happen?
How are we reducing that risk?

5. From Dr. No to Mr. Yes

“The times when I’ve seen the lightbulb really go on with executive leadership is when we security people support things they expect us to block. Sometimes we are just called the ‘No people.’ We are seen as we don’t help create and implement solutions, we just stand in the way of progress; ‘I’m not moving to the cloud because I don’t have time to understand the cloud, so just don’t do it!’ You can’t just say ‘no’ all the time.I was at a big bank and the CIO was leaning on me to be the cloud champion because he understood its potential and felt the big roadblock to the cloud was his security department. But it helped me, as the security person, to be able to explain to everyone that the cloud is actually a good thing. We aren’t in the business of managing servers in a data center so why are we spending so much time and resources doing that? Your business is making money and moving money, not managing servers. After that, the relationship between security and everyone else was much stronger.”

6. No one buys an airbag

“In terms of what the board needs from us in security, it’s often about risk reduction and compliance, as well as meeting customer demands with, for example, security-as-a-service stuff like two-factor-verification. At the end of the day, no one wants to “buy” security, and that’s OK. It’s like safety features in a car. I’m not going to buy the world’s best air bag. You don’t buy the air bag, you want the car, you want the Tesla, and if it offers a great airbag along with all the other features of being a great car then that’s fine. But you’re not buying a car to get the airbag.”

7. Goal, Question, Metrics (GQM)

Chapter 10 of Jeff’s book is titled, “Driving change through metrics.” Truly fantastic, this chapter alone is worth the price of admission. The following is excerpted from it.“Metrics are one of the most powerful communication tools at your disposal. They can demonstrate progress or risk in a simple chart or number that everyone can understand. Metrics can help drive change and shift corporate cultures—when used properly. Metrics can also be a liability when used improperly…A powerful method of coming up with metrics that matter is the “goal, question, metric” (GQM) method. The GQM approach focuses on identifying goals, developing sets of natural language questions that would allow the intended audience to judge performance based on the answers and subsequently to identify a set of metrics that can drive the answers to the questions.As an example, think of a business situation such as the risk of a data breach that could result in bad publicity, regulatory fines or lost revenue. So, the goal would be to reduce the likelihood and damage from a security breach involving lost data.What questions come to mind here? A few might be:

How many breaches do we typically have?
Where is our most sensitive data stored?
Who has access to it?
What fines might result from a data breach?
How many records could be exposed?
Is our risk of a data breach increasing or decreasing?
What are we doing to prevent or limit data breaches?

‍

Next, you could develop some Key Risk Indicators (KRIs) to measure relevant numbers like:

The number of sensitive data records
The number security breaches involving sensitive data
The number of sensitive data records exposed to the Internet
The number of roles with access to privileged data
The regulatory fine per data record

Tracking changes in these KRIs would potentially indicate a shift in your risk exposure going up or down. This is just an example. There is no one size fits all for security measurement.”

8. 4 keys to effective awareness training

“The reality of our role in security is, we need to communicate to every single employee in the firm at some point to raise their awareness about security. And that’s a big ask. Most business functions don’t have to do that, and it’s a tough communication problem. But that being said, it can be an opportunity to bring people together and build culture, too.”Key 1: Continuous security message“An awareness program has to be continuous. Too often, once a year you have to go to some kind of long and scary training, or watch a video, or there’s some other silly thing that checks a box for ‘awareness.’ And that kind of one-off training doesn’t raise awareness. You need a consistent security message that needs to be continuously reinforced. Even smaller messages delivered via micro-trainings, or these mini-quizzes that pop up and you engage with for a minute or two every so often; that can work!”[Editor’s note: So, so true]Key 2: Approachability“This is really so critical and it’s a part of the soft skills. If we always make it difficult to engage with information security, people will just go right around you. You want your business customers to be able to raise concerns and questions. For instance, sometimes people come to me with a question on a phish and it’s important they feel they can do that. Sometimes it might not be a phish but an actual service update, and that’s great, it’s still an opportunity to build awareness. But sometimes it is a phish, and by reporting it they have saved another nine people from maybe clicking on malware. Making people feel OK about reporting things is vital for good security culture. You wouldn’t believe how many people don’t know how to report a phish.Also, think about your vocabulary. You always put the audience first. We security people use all this tech talk, and in some cases, from where the other person is sitting, all of it is intimidating. You have to really think about it. Instead of saying IPS or DLP, just give a more high-level general description of it.”Key 3: gamification“One thing I’ve seen really work well is the gamification of the security message. People react well to gamification. It lets you engage frequently, so security is always kept in mind.[Editor’s note: Ready player one!]Key 4: positive reinforcement. A lot of people do phishing exercises and use that as a punitive thing. ‘We will punish repeat offenders!’ That’s what they call people who have clicked on simulations, and it’s very telling that they talk about them like criminals. What you want to do is reinforce good behavior. Perhaps in certain instances, when punishment is warranted, certain steps can be taken but those instances are few and far between. No one wants to go to work to be punished, to have a bad day, to have a security boss tell their boss that they’ve clicked on too many links.I’ve seen it get really crazy. One major financial firm had a canned message from the CEO for repeat offenders. So, if someone clicked something, they’d get this email from the CEO saying, ‘We strive to hire the best and brightest, and you have missed the mark.’ I suppose it kind of worked by getting some people running to security to avoid this, but that is not effective or sustainable.”[Editors nodding, fist-bumping: "We agree!"]

‍

Looking ahead: The future of cybersecurity is Lord of the Rings, not Army of Darkness

I asked Jeff how he sees cybersecurity evolving on both sides of the battle lines.“Success in the future for cybersecurity is going to be about information sharing and cooperation. The bad guys have gotten organized and we need to as well. They are much more organized than they were 25 years ago when it was a handful of IT-savvy individuals operating out of their basements for whatever their own reasons were. I remember the ping of death attack, delivered with a malformed IP packet, and back then we in security took comfort in the fact that only a small group of individuals had the expertise to carry out an attack. But then, with the release of this tool that brought malware to the masses, we saw that the theoretical is now practical. (Now there’s ransomware-as-a-service business models, there’s downloadable phishing kits.) We have guys who are funded by states, they’re funded and sponsored by governments, and they have a blank check to do this every day, all day. It’s a huge challenge, and to do security effectively, the more info-sharing and cooperation that we have the better it will be for being able to react quickly.For example, after the Colonial Pipeline attack, we here in information security in the State of Connecticut were able to examine known indicators of compromise quickly and react immediately to mitigate the threat. That was a great example of rapid information sharing enabling rapid response.”

‍

Army of Darkness, to Lord of the Rings

When asked what popular movie serves as his favorite metaphor for security, Jeff had a great dual-answer. His first thought was Army of Darkness, the horror-camp classic from the Sam Raimi Evil Dead franchise, in which endless legions of demons possess people and skeletons rise from graves to attack the living and spread chaos.“They kind of just keep coming, and the hero has to just keep fighting one thing after another,” said Jeff. “But as I think about it more, I think Lord of the Rings is more appropriate. It comes back to the idea of information sharing and organizing against an organized adversary. You have all these evil adversaries getting organized and working together and the good guys are doing the same. They’re coming together to fight the armies of Sauron and it’s a long journey to get to Mount Doom that requires all these humans and elves and hobbits and dwarves coming together. The problem is extreme and there’s a lot hanging in the balance and they eventually realize that if we work together, we can succeed.”

10 Steps to Award-Winning Cybersecurity Training: The AES CSO50 Playbook