Communication strategy for security leaders

Image by

I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.

Building on the business alignment framework for security that I developed, let’s start with key factors that underpin the success of a security function. In my opinion, a security leader should first and foremost focus on the following:

  • Integration. Security risk should be integrated into the overall business strategy and enterprise-wide risk management.  
  • Risk appetite. Business risk tolerance relative to security risk should be consistent with the business strategy.
  • Collaboration. Security function should collaborate with other stakeholders in order to ensure systematic approach to security and appropriate prioritisation of risk mitigation activities.

When it comes to collaboration, it is important to define key interfaces and outcomes with target stakeholder groups. This is the foundation of your communication strategy.

InterfaceInteraction Topics
BoardDevelopment of overall security strategy
Security enablement of business capabilities
Security culture development
Top managementTranslation of business needs into security roadmaps
Reporting of overall security performance to business
Financial planning (budgeting, forecasts and actuals reporting)
Managing crisis scenarios and major security incidents
ManagementDevelopment of service integration processes and tools in line with the overall services portfolio
Contracting with outsourcers, cloud providers and consultancies
Service level planning, forecasting and performance reporting
Product teamDevelopment of overarching security guidelines
Initiatives prioritisation
Provision of security requirements
Architecture and security guidance as part of ongoing changes and projects
Development of security enablers
Development teamSecurity guidelines and standards
Incident response and issue resolution
Implementation of security tooling
Security advice
Continuous improvement

As always, feel free to tailor to the needs of your organisation as stakeholder groups and priorities may differ depending on the context. For example, I provide my view on securing a tech startup.

You can add more information, detailing specific stakeholders, their preferred method and frequency of communication, level of support, etc. as I described in my blog on security project management. This , of course, is not meant to be a one-off exercise. Understanding and engaging existing and emerging stakeholders is an ongoing effort, if you want your initiatives to be successful.



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s