While I was chief security officer (CSO) in Michigan, the most impactful way our centralized security team communicated with executives was with regular security roadshows with client agencies. Important information was exchanged during these annual sessions in front of top business leaders, including physical- and cyberthreat briefings, key project status updates, discussions on security capabilities, conversations on staff awareness training programs, and ongoing incident status reports.
While we packed a lot of topics into an hour, our format encouraged an open dialog with everyone involved to build face-to-face transparency, accountability and trust. But before we traveled around to meet with government leaders in each department such as state police, transportation, treasury and more, we started each governmentwide cybertour with the governor.
These meetings were important because they brought our security project scorecard to life with statewide metrics and agency-specific actions. They enabled ongoing conversations regarding cybersecurity risks and outlined the steps that were being taken or could be taken to mitigate threats. Our stated goal was “to balance security and ease of use to maximize value and enable the business.”
So how can you begin this security conversation with business areas in your government? Here are five communication tips to consider:
1. Do Your Homework. Decide who should be involved, what topics and materials will be covered, when to put these meetings on busy calendars, where you will meet, and how you will run the meetings. As CSO, I let the business areas select their executive participants, and some groups kept it small, while others invited up to 30 agency leaders. Also, if scheduling the time isn’t working, you likely have a larger business priority issue regarding cybersecurity.
2. Select Good Metrics and Keep Reporting. Just as businesses maintain key metrics of success, offer measurements that are understandable and repeatable as part of the ongoing security conversation.
3. Adapt to the Audience. While a consistent, updated enterprise presentation was offered every year on our roadshow, we also adjusted our messages to each audience. Flexibility is especially needed when meeting with new agency leaders who need to bone up on security concepts.
4. Don’t Limit Communication Options. Security roadshows should be a part of a wider set of ways you communicate with business groups. Channels can range from newsletters to emails to tabletop exercises to emergency call lists for incidents. We also invited our government partners to our cybersummits and scheduled one-on-one lunches. Nevertheless, ongoing security roadshows were a vital component of our overall cyberstrategy.
5. Leverage Existing Governance Mechanisms. One chief information security officer I know uses technology and security advisory boards to help provide briefings to key business executive staff, while also keeping the governor’s office and cabinet officials informed. He also uses the same briefings for cabinet meetings, legislative committees and updating other government entities that have an ongoing role. For low-hanging fruit: Start small with key business areas.
Having a strong endorsement from top elected officials is great, but (sadly) is not always the case. If you can’t get your top leader to vocally support cybersecurity, try to find business-side champions to help shape your message. Most organizations have leaders, followers and laggards on tech, so start with a “coalition of the willing” who support your efforts to get some needed momentum.
Remember, the top complaint in most public- and private-sector organizations is a lack of good communication on key issues, including cybersecurity. Security roadshows will improve your team’s effectiveness by offering meaningful dialog with business executives on cybersecurity risk.