For many years, we heard security professionals lament the way they are perceived. Terms such as "the place where good ideas go to die" and "the department of no" weren't uncommon just a few years ago when referring to the security function.
But that is changing slowly, according to many security leaders. Still, as risk mitigation efforts, and the people behind them, get a better rep, challenges still exist when it comes to conveying security's message to company leadership and staff users as well.
CSO spoke with three infosec veterans to learn what effective communication looks like in an organisation where security lives in harmony with the rest of the company. Here they tell us what NOT to do if you want to get everyone on board with what you're trying to accomplish.
Failing to convey security's vision
Lorna Koppel, Director of IT Security with manufacturing firm Kohler Company, has been in security for decades. After some time in the military, and a degree in atmospheric sciences, she found herself increasingly interested in IT security as the world became more computerised.
"Things were so much simpler then. The threats were not as complex and as targeted," she recalled. "Now our jobs are more complicated because we have to still deal with all the noise and threats that are automated, but we also need to be prepared for the more complex and advanced methodology."
For Koppel and her team these days, that means there is a delicate line that needs to be straddled between how security is handling current threats, and what it plans to be doing in the future.
"We've spent a lot of time looking at our vision. Where are we going? What is our strategy?" said Koppel. "It's really hard for security people because we are reactive. We can get caught up just fighting the fire. But we also have very clear projects."
She said she strives to always maintain a relationship with her team that requires them all to be forward thinking.
"I think the mistake some people fall into is dealing with latest. Let me deal with what's my plate now. Then I'll fit in the proactive stuff. But you get analysis paralysis. You don't make any progress on making life better for the company or yourself. How do you catch that soon enough so you don't waste a lot of time NOT making life better?"
Neglecting to relate security to everyone
Koppel believes everyone in an organisation, not just the security team, needs to understand how security is working for them. That means listening to user pain points and creating solutions with that in mind.
In a recent initiative to implement an identity management solution, Koppel and her team focused on issues users with having with the existing infrastructure before going forward.
"Issues like getting access quickly, synchronising passwords and allowing them to use applications less frequently without losing access. By looking at all those things, we made their work easier."
The result was giving users one place to go and synchronising all passwords across multiple applications. Koppel said while the new system wasn't the platinum standard from a security perspective, it significantly bettered the security situation throughout Kohler. That's because while users only had to have one password, it was required to be a strong password, something many were neglecting to use before.
"Now when I sit down with people throughout the company and tell them I'm the person behind it, they say 'Oh, you're the one!' and are usually very pleased," said Koppel. "If we can solve problems for the user, we can also give them tighter security controls and they don't mind."
Failing to understand cultural differences
Roger Dixon, Head of Information Security with global investment management company Invesco, is responsible for a security department that spans the world.
"My team is scattered around globe," he explained. "When communicating you always have language challenges. And every region is under different pressures within that position."
Dixon said culture differences mean his messages need to be conveyed in multiple ways to avoid offense or misunderstandings. A message that maybe straight forward in North America would be seen can be seen in an entirely different light in other countries. A one size fits all approach will cause problems, he said.
"You may have improper activity, a policy violation, occurring somewhere in the business and you need to put out a message to address that," he said. "In North America you could get away with a 'cease and desist' message to stop the activity. But a 'cease and desist' has a slightly different connotation when you use it in the UK. In the UK they would see it as a legal term. To employees there it could be seen as the IT security department putting on airs with a legal term for a simple policy violation. Where you can get away with a stronger term in the States, it doesn't necessarily go over in other cultures."
Dixon said it is paramount to draw upon employees within different regions to help communicate in an area-appropriate fashion.
Failing to make the business case for security
As security's profile in business has risen significantly in the last decade, so has the CSO/CISO's status among executives. But Dixon said despite the increased emphasis on security, executives and employees alike glaze over when technical talk begins. Folks outside the security department are simply looking for someone to give it to them in terms they can understand, he said.
"They expect to bring a security question to security and get an answer that relates to the business, not how it relates to IT. You need to be able to present and bring security across all areas of the organisation."
Dixon said he finds the most success when he takes the approach of simply explaining to others what risk they face, and what the potential outcome might be for not taking the path security lays out. Koppel echoes Dixon's thoughts and said she is always working to convey the message that security understands the bigger picture of business.
"We are looking at all business processes," she said. "We're not just putting in a firewall and trying to prevent them from doing what they need to do."
Neglecting to realise that timing is key
"The biggest lesson I've learned is timing," said John Kirkwood, Global CISO of Royal Ahold, which owns American grocery chains such as Stop & Shop and Giant.
Previous to his current job, Kirkwood was the first CISO at both American Express and Credit Suisse. He remembers a time when his security message was ignored by most, then 9/11 occurred. Several high profile viruses made their impact soon after. Those who once ignored him think he's pretty smart now, said Kirkwood. But rather than feeling a sense of smug satisfaction, he said it's taught him something about picking battles.
"If you say the right thing to the right person at the right time you will get a lot of movement. If you aren't cognizant of when an organisation is receptive, you will find that your message will be lost."
Kirkwood points to PCI-related technology as an example, and said he knew for many years it was something organisations should be investing in for their own protection. But it wasn't until compliance requirements heated up and breaches became headlines that business began to have an interest.
"A few years ago, if I said we need to spend a few million to do this, I would have been a pariah. Some people call global information security the 'Man of La Mancha' role. You're always tilting at windmills. But if you pick your battles according to timing, you'll be extremely successful. You can't fight everything every day."
Forgetting that your role in communication changes frequently
Kirkwood said he mentally prepares for meetings by going over emails, figuring out what role he will be called up to play among co-workers that day, and tailoring his approach accordingly.
"Am I going to be a leader, an advisor? Or maybe a publisher of bad news? It varies, but I don't have to be the leader in all cases. I don't have to be the teacher or the advisor in all cases. But I have to have that ability because I will be asked to do those different roles at different times."
Koppel agrees. She said she requires her team to know more than security if they want to work for her because they will play different roles throughout the company as security representatives.
"They need to understand networks, to understand numerous things. Because of that, they can often come in and let me know if non-technical groups are trying to solve things in backward ways, or perhaps not understanding the choices they are making with some of the vendors they are working with. Then we can come in and not only address security, but try and make it a better solution and process."
Failing to recognise when communication is a waste of your time
Sometimes you can make every effort at effective communication, but it won't make a bit of difference. That's because there are times when being a good security leader means understanding communicating isn't worth your energy. Dixon said he spent two years in a position, banging his head against the wall, trying to communicate security's importance, only to find leadership couldn't care less. Dixon felt the organisation was really just looking for a figurehead to fire when something went wrong, so he left.
"I didn't follow my gut and spent two years not being able to do what I needed to do," said Dixon. "When you are doing job interviews and discussing what the business is, unless the company and management has some understanding and support for security, it doesn't matter how good you are, you aren't going to get anywhere with security."