What do you do if your communication isn't convincing others to prioritize Information Security?
Understanding the critical nature of Information Security (InfoSec) is essential, yet convincing others to prioritize it can be challenging. If your communication efforts are falling flat, it’s time to reassess your strategy. Remember, effective communication is not just about relaying information; it's about ensuring the message is received and acted upon.
When discussions about Information Security fail to resonate, consider reframing the context. Instead of focusing on technical aspects or fear-driven scenarios, align your message with the values and goals of your audience. For instance, if you're speaking to business leaders, emphasize how Information Security is integral to protecting their bottom line, reputation, and customer trust. By making the topic relevant to their priorities, you're more likely to gain their attention and commitment.
-
First, ensure the business understands why security matters. Highlight the financial risks: what happens to share prices if a publicly traded company gets hacked? Reputation tanks, customer trust plummets, and the bottom line takes a hit. Instead of technical jargon or fear-mongering, align Information Security with business goals. Protecting the brand, regulatory compliance, and securing revenue streams all depend on robust security. Bring it home with real-world data and case studies. Make it clear: good security isn't just smart; it's vital for business success
-
Frankly, you have to look at yourself first. Are you pontificating about security, or are you showing how information security is a critical business imperative. A lot of security professionals don't really appreciate the importance of demonstrating business value and just assume every thinks security is important.
-
One of the biggest challenges all the time is the conflict between the business team and the security team in any organization. Sometimes business and security speak different languages, making it challenging to understand each other's perspectives and creating a sense of division. Moreover, the technical experts sometimes struggle to communicate the risks effectively in a language that the business can comprehend and act upon.
-
I actually think the first step in reframing the image of security in an organisation is to sit down with key stakeholders and understand their needs and pain points. Security should be an enabler, not a barrier - if the concept of it isn't resonating it's likely because your security measures are too cumbersome, or are too onerous/arduous. If security doesn't work for people, it doesn't work. Period.
-
If your message is falling on deaf ears the tendency is to talk louder or blame the audience but that is wrong. Cyber has its own language , Privacy has its own language, Business has its own language It is your job to learn to speak the language of the audience. You must understand what inspires, scares and amuses them. Being a “award winning” CISO means nothing to business if your message is doom and gloom or presents a road block to business. For every issue you find, you must also have a realistic business enabling solution. If you don’t and are in a leadership position, it might be time to step down. Cyber security is a business issue first and you must understand the business you are working in
To make Information Security a priority for others, personalize the risks involved. Rather than abstract threats, provide concrete examples of how a breach could affect them directly. For example, discuss potential scenarios where their personal data or work could be compromised, leading to tangible consequences like identity theft or loss of professional credibility. This approach can turn a distant concept into an immediate concern that demands action.
-
Explain how an Information Security incident can tarnish an individual's reputation or professional credibility. Provide examples of high-profile data breaches resulting in public scrutiny, job loss, or damage to career prospects. By illustrating the long-term consequences of reputational damage, individuals recognize the importance of safeguarding their personal and professional information to preserve trust and credibility.
-
Makes the threat more real rather than just a hypothetical scenario. to helps people understand the consequences of their actions/inactions. This makes IS more relatable and emphasises the importance of everyone's involvement in safeguarding information assets. People often act differently when they perceive a personal stake or risk of loss.
-
Clearly articulate the potential risks and consequences of neglecting Information Security. Use real-world examples, case studies, or industry trends to demonstrate the impact of security breaches or data breaches on the organization's reputation, finances, and regulatory compliance.
-
We all come from different background. Embracing our differences, we recognize that none of us are inherently better or worse, just different. Let's dive into practical AND CUSTOMISED exercises. While understanding cybersecurity concepts theoretically is valuable, it's the application that truly solidifies learning. By integrating practical exercises like simulated phishing attacks or breach scenarios into our training programs, we empower employees to put their knowledge into action. These exercises serve as eye-opening experiences, highlighting the significance of cybersecurity and allowing us to grasp the repercussions of security breaches within a safe and controlled educational setting.
-
As an expert in information security, it's crucial to personalize the risks associated with breaches to prioritize the importance of security measures. Instead of discussing abstract threats, provide concrete examples of how a breach could impact individuals directly. By highlighting potential scenarios where personal data or professional work could be compromised, such as identity theft or loss of credibility, you make the consequences more tangible and immediate. This approach fosters a sense of urgency and accountability, prompting individuals to take proactive measures to safeguard sensitive information and mitigate potential risks.
Collaboration can be a powerful tool in convincing others to prioritize Information Security. Engage with different departments or team members to understand their specific needs and concerns. By involving them in the conversation and decision-making process, they become invested in the solutions. Show them how improved security measures can facilitate their work, not hinder it, and they'll be more likely to support and advocate for necessary changes.
-
Organize workshops or collaborative sessions involving representatives from various departments to foster a deeper understanding of Information Security concerns. Encourage open dialogue to identify department-specific vulnerabilities and explore tailored security solutions. By soliciting input and involving stakeholders in decision-making, you promote a sense of ownership and collective responsibility towards Information Security.
-
Champion collaboration within the organization, engage various departments, empower ownership of information security within each department. Be open to understand the departmental concerns, provide perspective and reasoning for the controls and when appropriate, adjust policies to facilitate their work not hinder it.
-
INFORMATION SECURITY is a typical second-line area; therefore, one of its key characteristics should be collaboration. It's not just about dictating what and how activities should be executed, but as they work with the entire organization, in addition to being resilient, they must be empathetic, know how to listen, communicate simply, and ensure that, by appealing to that power to influence others, in a clearly collaborative environment, the process owner does what needs to be done, with the assistance of #InformationSecurity.
-
The stick and the carrot. You can let them choose. Over time they will learn the carrot is better. If you've experienced a cyber-incident of any nature, I'm pretty sure the business has some role to play there. Make them come with you, for example, to explain a client their data is gone because somebody did something stupid. And let them do the speech. They'll do it once. Not twice. That's the stick. If never had to go through it, yet, you're lucky. Buy a lottery ticket or something. Then go back to work and show the business how by collaborating with you closely THEY'll be able to, for example, shorten the go to market of THEIR new product or service. And notice the THEY/THEIR. This is not about you. That's the carrot.
-
- Según mi experiencia es aconsejable buscar y potenciar los puntos fuerte de colaborar con cualquiera de las áreas de negocio. Hay hacerles ver que no somos un stopper y que somos un facilitador para que las cosas se hagan bien y además de forma segura.
An ongoing education process is vital for keeping Information Security at the forefront of everyone's minds. Create opportunities for learning through workshops, newsletters, or regular meetings that highlight recent security trends, threats, and best practices. When people understand the evolving nature of cyber threats and the role they play in prevention, they're more likely to take personal responsibility for security measures.
-
Once more, cyber risks never rest, always lurking. Therefore, training and awareness must be a continuous and flawlessly executed process. Tailored to each company, it should encompass the best methods of communication, testing, auditing, challenging, and enhancing. A robust plan defined by the CISO with the support of top management (tone at the top), HR, Communications, Compliance, as well as excellent execution, with constant audit validations, and agile corrections, to emerge stronger.
-
Hold training sessions and interactive workshops to educate your colleagues about potential security threats and their role in preventing them. It is also crucial to articulate the consequences of not managing risk in simple and relatable terms eg using case studies - I like using Latitude, Uber & Optus as they have good coverage of key security domains/threats (third party risk, MFA, APIs, social engineering)
-
The temptation is often very great to think that the directors, C-suite and other top brass either know what they're doing (they don't! Not when it comes to cyber security!) and that they don't need training, or that they're too busy for training. Put that thought very far out of your mind. They are the number 1 targets, and therefore need the most bespoke and probably even intense training of all the employees. Also 'bring it home' - teach them how to teach their family members about cyber security. So many data breaches nowadays started with the first foothold being in someone's home. Make cyber security real and personal, something from which the whole family can benefit.
-
- Totalmente de acuerdo, la concienciación continua es algo primordial hoy en día. Los empleados tienen que conocer las amenazas y la dirección los riesgo que amenazas al negocio.
-
You need to speak in their language and in non-Technical term and teach them important of security and what would be impact if they ignore it. Share real stories of security breaches.
Highlighting the positive outcomes of strong Information Security practices can also be persuasive. Show how proactive security measures can lead to efficiencies, cost savings, and a competitive edge in the marketplace. For example, explain how robust security protocols can streamline operations, reduce downtime from cyber incidents, and enhance customer confidence in your company's reliability and professionalism.
-
A adoção de práticas de Quantificação de Riscos Cibernéticos (CRQ), como o Open FAIR, pode evidenciar a relação custo-benefício e o retorno sobre o investimento (ROI) de medidas de segurança da informação em termos monetários. Esse enfoque permite que os líderes empresariais vejam claramente como os investimentos em segurança protegem ativos valiosos, e também promovem eficiência operacional, redução de custos e vantagem competitiva no mercado. Por exemplo, ao implementar soluções de segurança, pode-se minimizar o tempo de inatividade causado por incidentes cibernéticos. Demonstrando esses benefícios tangíveis, facilita a decisão informada sobre o investimento em segurança cibernética, com o impacto direto na saúde financeira da empresa.
-
We always need to highlight why information security is fundamental to the organization's business. Image risks, financial loss and impacts on productivity are some points that must be taken into consideration to ensure success in delivering end-to-end security.
-
Highlight the tangible benefits of prioritizing Information Security, such as improved operational resilience, reduced financial losses, enhanced regulatory compliance, and increased customer trust and loyalty. Use case studies, testimonials, and real-world examples to illustrate the positive impact of security investments.
-
Hay varios ejemplos que se puedes destacar: - Seguridad por diseño - Privacidad desde el diseño - Arquitecturas de seguridad en los proyectos Todas estas acciones ayudan a mejorar la seguridad y reducir costes futuros.
-
También con una correcta gobernanza , implementando un framework de seguridad. Realizando auditorías internas. Realizando un correcto análisis de riesgos o de impacto
If initial communication efforts don't yield the desired results, be prepared to adjust your tactics. Listen to feedback and be willing to modify your approach. Perhaps a more interactive presentation style, such as hands-on demonstrations or simulations, could engage your audience more effectively. Remember that convincing others is often a process of trial and error, requiring flexibility and persistence.
-
Flexibility is key if initial communication fails to prioritize Information Security. Listen to feedback and adapt your approach accordingly. Consider interactive methods like simulations for better engagement. Recognize that persuasion is iterative, requiring persistence and openness to adjusting tactics.
-
Start a metrics program with simple pie charts and percentage and reduce your dependency on stats based dashboards. And make sure your new dashboards fit and navigate nicely on your leaderships' cell phone. Shameless Plug: Check out my book called Converged Security Metrics
-
Tailor your approach based on each department's unique needs, goals, and communication styles. For some, hard data and ROI metrics may be most persuasive, while others respond better to real-world examples and personal stories. Be flexible in your messaging and methods, whether that means hosting formal training sessions, informal lunch-and-learns, or one-on-one consultations. Continuously gather feedback and adapt your strategies to find what resonates most with each audience. The key is to remain agile, receptive, and committed to finding the right tactics that will effectively engage and motivate each department to embrace a culture of security.
-
Continuously evaluate and adjust your communication tactics based on feedback and results. Experiment with different messaging, channels, and formats to find the most effective ways to engage and persuade your audience.
-
You need to revise your strategy and sometimes you need enforce certain policies like preventing staff from disabling their security products, prevent them from installing and take other steps. You need to clarify the consequence of the cybersecurity breach.
-
If your communication isn't convincing others to prioritize Information Security, try tailoring your message to your audience's interests and concerns. Use clear, simple language and storytelling to illustrate the importance of Information Security, highlighting business benefits and showing data-driven results. Build relationships with stakeholders, seek support from leadership, and provide actionable solutions. Celebrate successes and continuously improve your approach based on feedback and results. Remember, effective communication is key to building support for Information Security. Be adaptable, persistent, and creative to drive change.
-
There are battles you can win. There are battles you should withdraw from. If that latter, make sure you have evidence so you can present it with a nice “I told you so”. If this happens too often, look for another job.
-
It is important to get them involved. When you talk about security , they feel like you and your team are in charge and they are just users. However, if you ask them to involve and they feel included, you will gain their trust and could have a better communication to change their mind on the priority for information security.
-
Create visual aids that quantify the loss associated with the risk. Businesses care about money and reputation. Show stakeholders how taking that step to prioritize security isn't just optional, but a critical step to protecting what's important. Unfortunately, sometimes the best communicative evidence is post an incident that could've been prevented.
-
When advocating for Information Security, it's crucial to align with the language and priorities of your audience. Security isn't just about avoiding threats, but enhancing business value. Tailoring the dialogue to show how security measures contribute to operational efficiency, customer trust, and compliance can shift the perception from cost to investment. Engaging stakeholders with real-world impacts and collaborative discussions can demystify complexities and foster a proactive security culture across all levels of an organization.
Rate this article
More relevant reading
-
Business CommunicationsWhat are the best ways to keep internal communication channels confidential?
-
CybersecurityHere's how you can foster and sustain robust client relationships as a cybersecurity consultant.
-
Information SecurityWhat do you do if you're struggling with procrastination and meeting deadlines in information security?
-
Security Architecture DesignHow do you persuade senior management to support your security initiatives?