I previously wrote about the complexity of communication and the multi-faceted nature of the CISO role. Combining these perspectives, I would like to give an overview of what a communication strategy might look like for a security leader.
Building on the business alignment framework for security that I developed, let’s start with key factors that underpin the success of a security function. In my opinion, a security leader should first and foremost focus on the following:
- Integration. Security risk should be integrated into the overall business strategy and enterprise-wide risk management.
- Risk appetite. Business risk tolerance relative to security risk should be consistent with the business strategy.
- Collaboration. Security function should collaborate with other stakeholders in order to ensure systematic approach to security and appropriate prioritisation of risk mitigation activities.
When it comes to collaboration, it is important to define key interfaces and outcomes with target stakeholder groups. This is the foundation of your communication strategy.
|Board||Development of overall security strategy|
Security enablement of business capabilities
Security culture development
|Top management||Translation of business needs into security roadmaps|
Reporting of overall security performance to business
Financial planning (budgeting, forecasts and actuals reporting)
Managing crisis scenarios and major security incidents
|Management||Development of service integration processes and tools in line with the overall services portfolio|
Contracting with outsourcers, cloud providers and consultancies
Service level planning, forecasting and performance reporting
|Product team||Development of overarching security guidelines|
Provision of security requirements
Architecture and security guidance as part of ongoing changes and projects
Development of security enablers
|Development team||Security guidelines and standards|
Incident response and issue resolution
Implementation of security tooling
As always, feel free to tailor to the needs of your organisation as stakeholder groups and priorities may differ depending on the context. For example, I provide my view on securing a tech startup.
You can add more information, detailing specific stakeholders, their preferred method and frequency of communication, level of support, etc. as I described in my blog on security project management. This , of course, is not meant to be a one-off exercise. Understanding and engaging existing and emerging stakeholders is an ongoing effort, if you want your initiatives to be successful.