Peer and Leadership Roadshows
The business-minded CISO recognizes the value in getting out from behind their desk and selling their program. In one position, the first time I visited with my organization’s facility leadership forums and asked when the last time someone from IT came to speak with them. The entire audience responded with a resounding, “Never!” One of the first things I do when I take a new role is determine who my peers are—both inside and outside of IT—and what the major facilities and/or departments are with whom I need to build and maintain relationships.
Set up regular one-on-one meetings with your peers—monthly tends to work well for me. This will afford you the opportunity to get feedback from them on your program and its initiatives, as well as afford time for you to ask for their support and assistance when needed. If you have nothing of significance to discuss one month, there is nothing wrong with canceling the meeting and returning the gift of time. You will earn credibility with your peers by showing you value your relationship and you only want high-value time with them.
Leadership roadshows are your chance to reach a broader level of management within a specific department, facility, or unit. It can be difficult to reach every employee with your most critical messages, but line management is meeting with their staff regularly and you can leverage their reach into the organization to deliver key messages on your behalf. As an example, being extra vigilant about phishing e-mails is often an organizational focus. While I find sending monthly workforce communications about trending topics to be important, I find the time I have at management and leadership meetings particularly valuable because they enjoy being the bridge back to their teams. Once I even visited a few of my organization’s big facilities and delivered their specific fake phishing campaign results as compared to the rest of the organization. In this instance, the facility I was visiting performed below average as it related to clicking on fake phishing e-mails (sent by my team) when compared to the rest of the organization. This facility’s CEO and senior management team took it as a disappointment on one hand and a challenge to perform better on the other. This type of in-person relationship with the facility management team will undoubtedly assist in their performing better in the future and reducing risk to the organization. Is there any other reason needed to commit this time and effort?
I visit these management and leadership forums roughly once per quarter and present on various topics, typically for about 15 minutes. You don’t want to wear out your welcome or dominate the management team meeting agendas so keep the content fresh, short, nontechnical, and take questions. I know I have been successful when I receive e-mails from the participants afterward with appreciations and follow-up questions. Make sure your presentation is high quality and tailored to their department or entity. When I go to speak with the Finance Department for example, I always have financial anecdotes ready to discuss. If you are at a clinical facility, make it real for clinicians. Remember, they think you sit in a dark cave somewhere and have no idea what they do on a daily basis.
External References
I always like to avoid the question, “Where did you come up with that?” When the business-minded CISO is out evangelizing his or her program, they should cite reputable sources for the reasons they are recommending certain courses of action. There is an alphabet soup of standards and frameworks (NIST, ISO, ITIL, etc.), research firms (Gartner, Forrester, etc.), and consultancies that you can tap into. Many organizations publish annual surveys that benchmark performance and provide industry insights and statistics. Where applicable, cite these sources to add credibility to your business case and ongoing initiatives.
In one CISO role I held, I was able to secure a 33 percent budget increase because I included an industry survey that benchmarked information security spend as a percentage of overall IT spend. It turns out that in my industry, most organizations were spending about 6 percent of their overall IT budget on information security. This may be a little on the high side for other industries, but the perception is that the health care industry is lagging and needs to spend more to catch up on deferred maintenance. At the time, my organization was spending less than 3 percent of the overall IT budget on information security, so by citing this statistic in my business case, I was able to convince senior leadership that a dramatic increase in budget was needed to catch up.
Don’t be afraid to invite third parties in to evaluate and provide feedback on your program’s progress. When I became CISO with one security department, it was a 1.72 out of 5.0 on the maturity model. After spending about 18 months implementing a three-year plan, I invited the same firm to return and refresh their assessment. I had just informed our governing body that I believed we had risen close to a 3.0 out of 5.0 since my arrival. The outside firm rated us a 3.2 out of 5.0, validating the progress we had made and further enhancing my credibility by accurately (and conservatively) self-assessing progress. In addition to progress validation, the outside firm provided updated recommendations to continue our maturity and risk reduction journey.
If you are confident in your program, you have nothing to lose by citing and using external references. In fact, if you shy away from it or begrudgingly share your plan with others, it says you may not be doing the right things and send a big red flag up to senior management.
Communication and Stakeholder Engagement
You cannot reach everyone in your organization through one-on-one and leadership meetings. You will need to establish a robust communication and stakeholder engagement process. Early on, identify your key stakeholders. They can be individuals, committees, teams, or whole departments in addition to the entire workforce. It is helpful to document these stakeholders in a spreadsheet or database so you can determine the frequency in which you communicate with them, discussion topics, and any feedback/action items you may have been provided. Figure 4.1 shows a simple example of how to organize your stakeholders.
Figure 4.1 Tracking stakeholder engagement
It takes extra effort and discipline to keep an up-to-date stakeholder engagement plan, but I have found it to be an invaluable tool for managing my interactions and delivering on my commitments.
Communications are an important facet of your program. You should categorize your stakeholders by segments of your workforce and tailor your communications for those specific audiences. Categories I have used include all workforce, clinicians, IT-only, and senior management. I typically send at least one communication to the entire workforce monthly. One month I might remind them about being diligent with regard to responding to phishing e-mails, but another month I will provide an update on emerging threats and other subjects of interest. I update senior management when there are significant accomplishments made in our program or there is a lot of public news about a cyber attack or threat. Giving the senior management team talking points as well as visibility into security efforts helps keep them engaged, connected, and knowledgeable. IT-only communications are typically produced when technical information or broad IT impacts to a security event are important to communicate. Clinician communications are tailored to their workplace and created in a nontechnical matter that is easily digested. Clinicians are very busy serving patient needs and don’t have time to read detailed communications. I always make these communications short, easy to understand, and most importantly, informative about what they can do to protect against cyber threats.
A communications program can take many forms. E-mail is easy, and if your organization has a template you can use, you can create a campaign that workforce members will begin to recognize. Posters and flyers are also effective means of communication. Our team creates quarterly flyers and posters focused on a theme. We print them and we provide them to facility managers to hang and display in employee break rooms, cafeterias, and other back-office spaces.
Tip: Brand your communications. Create a logo or icon for your program that workforce members will begin to recognize and identify as your program.
Intranet Presence
Every organization has an intranet presence where corporate information, news, and online resources are located for convenient access by the workforce. The business-minded CISO recognizes that this tool can be extremely effective in evangelizing the security program. If you don’t have your own department set of pages, you should. Frequently the IT risk management/information security presence resides with the overall IT department section. That’s fine, but make sure you put ample effort into your sections so that they are resources everyday employees will find interesting and want to visit regularly. Here are a few sections I always create and maintain with informative content:
- About Us: organizational chart and contact information for you and the team;
- Resources: polices, guidelines, standards, and so on;
- Training and Awareness: web-based trainings, posters, and other training material; and
- News: interesting articles and news about your industry and the IT risk and cyber landscape.
If you have the resources for a full-time training and awareness coordinator on your team (I always make a strong case for one), maintaining your intranet presence can be part of their responsibilities. At the end of every roadshow and the bottom of every communication we send out, we list the intranet web link to our site. I encourage everyone to visit our site and utilize the resources located there. If you are going to actively market your site, you must make sure it is worthy of those efforts. I have hired professional web designers as contractors to get my site and resources up to snuff. Make a quality product and folks will visit it without a lot of prodding.
To measure what parts of your site are getting the most visits, you can typically monitor click counts to different resources and determine where folks are visiting the most. For example, sites with little to no traffic should either be enhanced or removed and replaced with pages that will receive visitors. Intranet site visits are a key metric I report out on each month so further justify the time and effort the team puts forth.
Summary Points
- Make sure you put in the effort to plan and execute on your plans to evangelize your program. The best program in the world, if unknown or misunderstood, will not be as successful as one that the entire organization has some level of understanding and awareness of.
- Use every form of media at your disposal to communicate your critical messages and provide access to your resources. It takes a little time to get workforce members to recognize your e-mail blasts and to find and visit your intranet site. Don’t be discouraged if the volume of readership or take up of resources is low early on. After about a year of sending monthly communications, I began to hear from people during live conversations that my security bulletins were the only IT messages they read. Bottom line: Make them interesting and easy to understand and they will be broadly consumed.
- Get out there! I cannot stress this point enough. Don’t sit behind your desk and delegate the evangelism of your program to more junior staff. You are the leader; your workforce and leadership team want you out there selling and building support for your important work.