I’m a huge believer in the power that communication, education, and awareness can have in your pursuit to secure your company’s information assets. Of all the activities I give my time to as a CISO, none is more important than or has the ROI of communications. If I could do only one activity in the InfoSec space, it would be this one.
This topic is so important that for over 20 years and multiple CISO gigs, I’ve always had a dedicated communications person supporting the team, amplifying our work, and broadcasting InfoSec messages throughout the company. If InfoSec were a body, communications would be the heart of the program. If you’re not focused on communications as a CISO, hopefully this chapter will give you some things to think about.
What Is a Communications Program?
A communications program (or simply communications) is the thoughtful delivery of targeted and relevant messages to the various departments and teams throughout the company that inform them of their responsibilities for cybersecurity. A communications program is proactive about security, and the goal is to provide information to staff that causes them to take actions toward greater measures of security over the information assets under their control. Communications is the vehicle by which staff members understand their responsibilities for safeguarding sensitive digital assets.
Communications encompasses awareness, education, and training. It’s the many channels through which cybersecurity roles and responsibilities are communicated to staff members, and it makes educated consumers of all staff members. Since people learn through different media channels, a good communications program will consist of a variety of vehicles, each designed to reach staff with the messages they need to hear. Here’s a sampling of communications channels that a well-rounded program may include:
· In-person presentations
· Cybersecurity conferences
· Lunch-and-learns for nontechnical staff
· Technical training sessions
· Raffles and giveaways at company-wide events
· Tables at company events (which give an opportunity for your team to get out and meet others and spread the word)
· Handouts like pens, with reminders on them of the importance of security
· Company-wide emails
· Phishing campaigns
· Notes from the CISO (especially effective following a company-wide incident or breaking news story)
· Posts to internal electronic bulletin boards (Facebook’s Workplace, for example)
· Office/workplace posters
· Desktop notes left on staff desks
· Tabletop tents on cafeteria/coffee shop tables
· Animated or live videos
· Nonanimated cartoons
· Video games and company-wide competitions
· Cybersecurity articles on the company’s portal
As a security leader, communications should consume a large portion of your time. As you can see from the variety of delivery mechanisms, having someone on your team whose job is dedicated to communications is critical. I have a creative side, so this activity really engages my interest.
Why Is a Communications Program So Important?
The best way to illustrate the importance of a communications program is by example. Imagine that you have an unlimited InfoSec budget and could purchase every tool on the market (I’ve known some CISOs who appear to be in this situation). Now imagine you have one staff member who receives a phishing email, clicks the link or attachment, and is successfully phished (not many tools on the market can protect against this behavior). Even with an unlimited budget and the acquisition of all those tools, it takes just one uneducated staff member to mishandle a phishing email, and boom, you’ve been owned.
That’s the point: communications is the best way to inform employees about actions they can take to protect the company from potentially compromised situations. There’s no other way to reach them with this information, and in many situations, no tool or software can protect the company. Humans are required to evaluate and respond to the situation. You can be successful in safeguarding company assets only if every employee is doing their part and knows how to recognize and report a security policy violation. For this reason, communications is one of the main pillars in my seven-step program.
A good communications program will be your opportunity to highlight the many good things the InfoSec team does for the company. Few inside the company understand the myriad of processes, groups, and functions that an InfoSec team must work with.
For example, InfoSec’s role in procurement can be quite involved, but few are truly aware of our role. As each contract is awarded, the InfoSec team should be involved to ensure that the contract specifies the right terms and conditions to safeguard the company electronically. If the third-party vendor is to receive access to the company’s data, how will that data be protected on their end? What will the employees of the third-party vendor be given access to, and for how long? Who will monitor their access privileges for policy violations? If data loss or theft is occurring, how will it be detected and reported? Only the InfoSec team is able to raise and resolve these issues. Communicating this throughout the company will make everyone aware that as contracts are awarded, staff members must include the InfoSec team in the process.
Communications Within the InfoSec Team
Communications are critically important to the InfoSec team because most InfoSec types aren’t great self-promoters. We’re engineers who like to keep our heads down and our eyes glued to our monitors. We prefer to stay focused on the technical challenges of our industry. If we have to get out of the office and give a presentation, no thanks.
Look at your team members. Most of them would probably prefer technical work to giving a presentation or training session. Most techies prefer the human-computer interface rather than standing in front of an audience of 30 unfamiliar people. It is the responsibility of the communications person to review the work of each staff member and identify opportunities to communicate this work out to the broader company. A good communications person will amplify the contributions of your staff that would have otherwise gone unnoticed.
Another tendency I’ve found is that InfoSec’s contributions are seldom realized by others because we’re often too busy, unwilling, or unmindful of the need to tell others about them. We’re also tempted to believe that doing so might be perceived as “tooting our own horn.” If you’ve hired a solid communications person, they will connect the dots here and draw this information out of the InfoSec staff. It’s their job. A good communications program informs the company of the team’s many positive contributions.
For example, consider the work involved to implement a software-as-a-service-based (SaaS) file transfer service. For IT, this can be delivered in about 15 minutes. IT integrates it into the company’s authentication solution, makes the SaaS service available to staff, and voila, you’re up and running. But to offer it in a secure fashion, the timeline is greatly expanded. The security controls to be implemented will take several meetings to discuss and decide. Understanding the sensitivity of the information the SaaS service processes, the access rights and privileges of the users, the app’s ability to support two-factor authentication, if not via Security Assertion Markup Language SAML, then natively through the app/service itself, the monitoring of the apps events, and getting logs from that service into your logging and monitoring service, the testing of the API for vulnerabilities, the integration of DLP services into the API of the SaaS service, the backup and retention of data kept in the service, the ability to support legal investigations if needed, monitoring the app’s use through alerts being set should someone download excessively large amounts of data—the list goes on. Communicating these considerations to the IT staff will help educate them about the myriad of services your team provides. Without a communication program, however, these types of support services are often overlooked and underappreciated by the company.
The Goal and Objectives of the Communications Program
The goal of the communications program is to inform every staff member of their unique responsibilities for maintaining InfoSec and how to report policy violations when they’re detected. That’s it. Therefore, the communications plan must include individual messages crafted for each department, team, and process owner. Obviously, the company’s technical teams will be the recipients of a broader variety of messages as opposed to the general staff members working in finance, who may need to know only a few items related to the security of the data they process.
Security is everyone’s responsibility. It is not the sole responsibility of the InfoSec team. This belief lies at the core of your communications program, and communicating to each and every employee is key to your efforts and success. The communications plan enables you to do this.
Some suggested steps for communicating throughout the company are as follows:
1. Identify every business unit, team, group, leader, and process owner.
2. For each entity identified in step 1, understand the sensitivity of the data supporting their business process.
3. Identify the policy requirements affecting that entity.
4. Identify the behaviors you’d like to instill in this team/individual that would enable them to protect their information.
5. Craft a message to achieve this behavior.
6. Decide how best to deliver the message. Table 7-1 shows example content over the course of a year, and Figure 7-1 shows various communications channels you can employ to deliver your message across the company.
7. Identify who on the InfoSec team will deliver which messages and to which groups/teams.
|
Feb |
Mar |
Apr |
May |
Jun |
Jul |
Aug |
Sep |
Oct |
Nov |
Dec |
|
|
Video Newsletter |
Phishing |
Laptop security |
MFA |
Training |
cybersecurity conference |
Incident reporting |
|||||
|
Roadshow Video |
Phishing |
MFA |
Customer data |
Training |
WiFi |
||||||
|
In the News |
COVID-19 as newsworthy events arise |
||||||||||
|
Lunch-and-Learn Events |
Incident reporting |
MFA |
Training |
cybersecurity conference |
|||||||
|
Ambassador Program |
Phishing |
Customer data |
MFA |
Phishing |
Passwords |
Training + cybersecurity conference |
|||||
|
Council, All Hands |
Phishing |
Phishing |
Passwords |
Customer data |
MFA |
MFA |
Training |
Training |
Training |
cybersecurity conference |
Training |
|
|
Phishing report out |
Phishing report out |
MFA |
MFA |
Phishing report out |
Training + cybersecurity conference |
Training + cybersecurity conference |
Phishing report out |
|||
|
Phishing program |
|||||||||||
|
Posters, Desk Drops |
MFA |
Training |
cybersecurity conference |
||||||||
|
Workplace Graphics |
Incident reporting |
Laptop security |
Passwords |
Customer data |
MFA |
MFA |
cybersecurity conference + passwords |
Training |
cybersecurity conference |
WiFi |
Phishing |
|
Table 7-1. Sample communications plan road map |
|||||||||||
Figure 7-1. Use a variety of channels to deliver your communications messages
Starting Your Communications Program
I believe the most important team member on any cybersecurity team is your communications person. Preferably, this person is specialized in marketing and communications. If you don’t have a team member dedicated to this role, I strongly recommend you consider one. I’ve used the same marketing and communications firm for nearly 20 years. Having worked with them for that long, they’ve become security experts who are able to quickly draft up materials without much involvement from me or the team.
I’ve found it enormously beneficial to have this person embedded as part of the InfoSec team. That role is so important that this individual owns the first portion of our weekly staff meeting. The initiatives this person tracks require visibility and participation from the team. I consider the position the most important one on the team, and I think it’s important for the entire team to know that. Over time, the InfoSec team grows dependent on the communications person, and they become instrumental to all components of our work because just about everything we do requires some measure of communication.
Not All Departments Require Equal Levels of Communication
The details of any communications plan will depend on the complexity of your company and its departments. Three client groups that I’ve found occupy a great deal of energy in the communications plan are the HR, legal, and corporate security departments. I hold regularly scheduled meetings with each of these teams. These meetings are a part of our communications plan and do more to increase awareness among these groups than anything else we could do.
In my past positions, I’ve established quarterly meetings titled “Did You Know” for the legal and HR departments. I use this time to educate them on the latest in internet scams, phishing attacks, instant messaging tools, social media scams, mobile apps, email, voice-over-IP (VoIP) scams, social media platforms, remote desktop tools, the Dark Net, and other relevant activities. Discussing these topics with the legal team members not only helped them understand the trends among our staff, but was also useful in their personal lives. This made their jobs easier and helped InfoSec by increasing our value and extending our team into the legal department. This regularly scheduled meeting was our opportunity to help them understand what was happening across the cybersecurity world.
At my first meeting, I had no idea of the kind of response I would get from the attendees. I discovered that many of the attorneys were eager to learn for their own personal knowledge. For example, in one meeting we discussed the Dark Net and hacker boards and how readily available hacked usernames and passwords were. The discussion quickly turned to the implications to our company and staff. And presto, we had the attorneys making decisions for greater security that would have never happened without these meetings. The result of that particular conversation led to more meetings and an expanded audience within the legal department.
News of this meeting spread to the other groups within the legal department. Soon we were meeting with the IP attorneys, discussing protection of the company’s intellectual property, which led to the initiation of a data loss prevention project. This project was sponsored by the legal department and would never have occurred had it not been for the InfoSec team communicating relevant information to them. This is a clear example of how communications allowed us to connect with another department, which in turn took ownership for the security of its data and systems.
Your Team’s Responsibilities
Communication must be a full-court press, and everyone on the InfoSec team must be involved. Your team has to “own it.” Communications will require a time investment on your part if you hope to reach everyone in the company. Often this means taking the message “to the streets” yourself.
Your team owns the entire communications plan. Team members must be involved in every phase of its development, and they must be assigned to individual efforts within the program. Further, they should be incentivized in their outcomes, and as you get the message out, your team must be ready for the response you’ll get and the subsequent work that will follow.
Communications at Work
Some of the examples I’m about to share could almost as easily be included in the chapter on relationships, or even alignment. So in the situations I describe, I highlight the communications component, although many other pieces could aptly apply to several others of the seven-step process.
Example 1: Training with Industry Experts
I had tried for over a year, working with the network services team and not wanting to damage our blossoming relationship, to get IDS systems installed but was met with one excuse after another as to why it couldn’t be done. No matter which network engineer I approached, the installation was stonewalled. My initial reaction was that the network engineers were up to no good and didn’t want us seeing their internet traffic. My other theory was that they were incredibly lazy and allergic to work, and didn’t want us seeing that.
Whatever the situation was, I couldn’t make any progress. My last choice was to escalate the IDS implementation within the organization to get the work forced upon the network services team. I knew if I did this, I’d win the battle but lose the war, so I refrained from that option.
Finally, it occurred to me that I had another option: I could bring in a network security training course offered by a professional security organization. I would review the curriculum and ensure that network monitoring and IDS systems were included in the materials, and then hope for the best. I chose this path.
I made arrangements to have the class offered on site with lunch provided. Don’t underestimate the power of feeding techie types. All of the network services employees were invited, and most of them showed up. During the time of the class, I was sitting in my office when, much to my surprise, one of the network engineers attending the course rushed in to thank me for the course. Without hesitation, they asked me if we had IDS systems installed at any of our internet points of presence (POPs). I responded that we did not. They were shocked and insisted we needed them. I told them it was a brilliant idea. It took me a while to pick my jaw up off the floor. The course had paid for itself before its first snack break.
Within two weeks from the completion of the course—that’s right two weeks—we had IDS systems installed at all our internet POPs around the world. Keep in mind, I’d spent the better part of a year trying to get them installed through finesse, and by hook or by crook. One course from an external vendor, and magic! This little episode taught me a valuable lesson on technical training and on the use of industry experts to get work done.
Example 2: Collaborative Decision Making
On another occasion, I learned that the company had entered into a contract with an external vendor to host all of our email services. It was hard to argue with a decision like this, because it made sense to everyone. But what seemed like a good idea for the IT department was unacceptable to the legal department.
Because of our previous work on a myriad of issues with the legal team, the attorneys were fairly well educated in InfoSec. When they caught wind of the outsourcing idea, they met with the CIO to voice their concerns. The project was halted. Needless to say, the email administrators got InfoSec religion quick, and the CIO wanted to know why someone from our group wasn’t on the project team. Ha. Good question.
The CIO knew we weren’t ratting out the email project team either. They were aware of our weekly meetings with the legal department and understood we used the meetings to educate the attorneys. It was through this weekly communication that we made the legal team aware of the outsource plan, and they understood the implications of email being hosted and supported by another company.
Their adamant opposition to the deal came with the organizational clout to stop it. Without our weekly conversations, this never would have happened. The regular communication and mutual respect we built strengthened our InfoSec practices. This is precisely the kind of increased collaboration that comes from having a good communications plan, and that leads to smart decisions about InfoSec across the company.
Example 3: InfoSec Campus Events
Another company I worked for placed a high value on education and academic achievement. Because of this, I was able to sponsor a two-day security conference in our conference center on our campus. The conference was well attended from among the 3,500 IT staff. We brought in great speakers and had some of the senior IT managers speak. The CIO gave the keynote address.
Beyond hearing industry leaders speak on relevant topics, this kind of event also allowed for breakout groups to address some of the specific interests of IT staff. Those who attended were steeped in the message of security and, as a result, gained knowledge and interest in what our group was doing in the following months. In the end, the ROI of such an event was over the top, as the message of security was conveyed to hundreds of staff members, and little of it was delivered by the InfoSec team.
Signs the Communications Plan Is Working
Building a strong communications program requires focus and energy in an area not usually considered part of an engineering team’s remit. But how do you know if your communications plan is working? As we communicate our security message across the company, the groups we interact with start to own the InfoSec responsibilities in their space. This, in turn, causes the demand for our services to rise. The InfoSec team will have to be ready to meet this demand and to let the requesters participate in the security process.
As the demand for our service rises, the InfoSec team adds more staff members, and your communications army grows. I found that once the communications plan was underway, the demand for our services rose so quickly we had a staffing shortage within the InfoSec team and were unable to hire fast enough. This is a vicious cycle. It also exposed the need to educate others on InfoSec so that they could address some of their own security needs without depending on our team for support.
Occasionally, I’ve learned the hard way about what doesn’t work in the communications arena. At one company, I thought I’d have a surefire hit when we brought in the leading internet law expert to speak. It was a symposium open to the entire company, and no one showed up. What a disaster! I attributed the attorneys’ lack of interest to the fact that they were already getting all the information they needed from us through my quarterly Did You Know meetings and the almost weekly meetings to discuss our forensic case load. What I do know is that not all your efforts will produce big results, but if you stay at the task, your team will see dramatic results, and in the long run the ROI of communication will be off the charts.
Conclusion
Getting the communications program off the ground begins with having a marketing and communications person on the team. The responsibility for developing the communications program will rest with this person. A successful program must have a communications plan that guides your team in a thoughtful and intentional way.
The plan must include targeted messages and the delivery mechanisms for each department and the subsequent behavior goals you hope to accomplish. The entire InfoSec team must be involved and incentivized to achieve specific goals. You’ll know the program is working when demand for InfoSec services is rising and staff members are being added to the team. You’ll also notice that employees are reporting more incidents, and business units are taking responsibility for the security of the information supporting their business process. Communications can be fun for those with a creative bent. I personally enjoy this part of the overall cybersecurity work, and next to relationship building, I place it at the top of the value chain.