CISO series: Building a security-minded culture starts with talking to business managers

Cybersecurity is everyone’s business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the “CISO series” to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.

If you are like many of your peers, one of the initiatives that you’ve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.

There’s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the world—in Asia, Europe, North America, and South America—often accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, it’s this team. You’re tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. What’s more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.

Turn business managers into security evangelists

If you have any hope of turning the VP of Sales into an advocate you need to frame security “in the language of the business” by “quantifying business impacts.” You’ve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.

Five communication strategies proven to work

Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:

  • Feel—You probably have a list of statistics that could scare the VP of Sales into compliance, but they also might backfire, causing them to shut down. A more effective approach is to dial down the emotional undercurrent of the conversation and start by listening. You may think you know why the sales team has low training compliance, then again, maybe you don’t. The very first step is understanding their side. Don’t move on to solutions until you both are confident that you understand why the team has not prioritized the training.
  • Focus—Everyone is trying to do 10 things at once, but continuous partial attention means we can’t focus on what’s important. Once you understand why the sales team has not been scoring high marks on the training, you can engage the business manager (VP of Sales) in a conversation that is laser-focused on their team needs, making it more likely that you both will put your full attention on the issue.
  • Slow down—Time limits make us think less strategically. If you need time to gather the data that will support your case, consider calling for a pause, so you can do your due diligence. And make sure you time your conversation with the VP during a quiet time in the quarter. Year end is a hectic time for sales, and the worst time to try and squeeze in a cyber awareness discussion.
  • Simplify—Remember that tech speak is not the right language for this audience. Give some thought to how your security training supports the goals of the sales team. Access to reliable customer data like escalations and licenses is critical to a successful mobile data force. Cybersecurity is about ensuring the sales team has confidential access to that data wherever and whenever they need it. The VP will more likely understand your priorities if they understand how they’re aligned to their priorities.
  • Spark—Tap into the incredible power of “why” by explaining why your company needs security compliance. Make sure your security pitch and training align to this overall mission. Explain how your security efforts get the company closer to achieving its vision.

Creating a culture where everyone takes accountability for defending the enterprise against cybercrime will require that we get everyone engaged from the board and C-Suite executive to business managers and Firstline Workers. As you embark on this effort, keep in mind that how you say it is as important as what you say. You can create a path to success if you understand the motivations and goals of the business, and if you don’t forget one core truth: We’re all human. Please stay tuned for our next blog in this series where I will give you tips for engaging your C-Suite executive team in the cybersecurity conversation.

READ MORE HERE