When Eric Cowperthwaite was heading up IT security at a major healthcare provider, a dedicated communications manager was his best defense to ensure the 75,000-plus employees were aware of security best practices and understood risk. Now in a similar position at a small player in the security software space, Cowperthwaite doesn't have the budget for such a role, although he admits it's not as critical given the size and focus of the firm.
"Today, I'm surrounded by 200 people who are engineers, programmers, and technical support staffers all speaking the same language and who accept the imperative of security more easily," explains Cowperthwaite, vice president of security & strategy at Core Security, a 200-person provider of an attack intelligence platform. "It's not a huge challenge here to communicate security and IT issues inside this company."
Few security organizations have the budget for a dedicated communications staff position, but a growing number of security chiefs, like Cowperthwaite, are intrigued by the idea given the recent number of high-profile breaches. For one thing, a communications specialist has the ability to translate complex security concepts and technology into messaging that speaks to the average user, helpful in fostering buy-in for stricter security policies. In addition, a communications professional has extensive knowledge of how and where to effectively communicate key security messaging-- essential to encouraging user adoption of new policies and for keeping the greater organization in the loop about ongoing changes to the threat landscape.
[ ALSO ON CSO: If you lose your key staff, are you prepared to maintain security? ]
While it's not necessarily a best practice for a company to have a dedicated communications role focused on security issues, larger companies should definitely consider the option given that they are prime targets for data hacks, according to Kristen Lamoreaux, president of Lamoreaux Search, an information technology-focused placement firm.
Larger firms have a more varied user base, and like any critical message, security issues need to be communicated appropriately for the target audience, she explains. For example, the importance of frequent password changes needs to be explained differently to Baby Boomers, who will likely be more accepting of the requirement compared to Millennials, who generally don't view security as a threat. "In larger companies, you need to craft messages based on demographics and that requires much more of a marketing focus," she says.
Less tech talk
Jay Leek, CISO of The Blackstone Group, a global investment and advisory firm, doesn't have access to a dedicated communications specialist, but absolutely supports the idea. He says security professionals need to change how they talk about key issues to be less technical and more relevant to a mainstream audience. "If you can't communicate effectively about what you're doing, people are going to duck when they see you coming because you're not making any sense," he explains. "Your ability to articulate what their role is and why it's important to the organization in a way they can understand is the only way to change organizational behavior."
Having the proper communications expertise also plays a critical role in effective security training. "Simply checking the box that you performed security compliance training doesn't manage the security risk of the firm," he adds. "You have to align what you do and change the conversation to something that's more meaningful to people outside of the security organization."
One way that Leek addresses the problem is to be selective in security hires, augmenting his staff with professionals that have business and communications backgrounds in addition to robust technical security skills. "We have someone on the team who is in the technical weeds and another who is an MBA from George Washington University," he says. "Communications skills and trainability in this area is a key focus as part of the hiring process."
At Applied Materials, there has been more change on the security policy front in the last 12 months than there has been over the last five years due to the increasing number of external threats, which means a greater focus on communications, notes CIO Jay Kerley. "At the end of the day, protecting our information assets and crown jewels is becoming more and more important to us," Kerley says. "As policies change from human resources and legal, the question is how do you effectively communicate information and deal with the different jurisdictions with different requirements."
Lucky for him, Kerley has a dedicated IT marketing director on his staff, who works with communications colleagues across legal, human resources and corporate domains to craft campaigns that spell out the risks, raise awareness, and promote new policies. "The CSO role has been in a wave of transformation for some time and it's all about change management," Kerley says. "If you look at traditional change management methods, communications is a critical part."
To promote better security best practices, Applied Materials instituted the Confidential Information Management Campaign, a multi-faceted program that encompasses awareness, technology controls and business process change. The program is supported by Glaston Ford, director, IT marketing, along with a cross-functional team from Applied Materials' corporate communications department along with content experts across the business, legal, IT and human resources. The team employs a variety of communications tactics to get its messaging across, from executive emails and CEO town hall meetings to small group meetings and flyers and posters.
"It's become a part of my job these last three years coinciding with the high-profile nature of security breaches," Ford explains. "If a company doesn't have a communications function inside of IT, they need to enlist help from the corporate communications organization--it's that important."
With internal users the most significant security threat, a greater number of companies are deploying resources to raise awareness of security policies. Yet often those resources hail from different functional areas of the business, which can result in erratic messaging, says David Barton, CISO at Websense, a security solutions provider.
At Websense, for example, there isn't a communications person dedicated to security issues, however, internal security architects and members of the security operations team share the task of promoting policies, educating the user base on various threats or security topics and creating security-related content for newsletters and corporate training. While the multi-team approach gets the job done, Barton admits that messaging could be more effective if it came from a central resource with a single voice.
"Most of the people in our IT organization and in engineering and development know portions of our security policy, but they don't know all the policies across all the disciplines," he says. "There's a huge advantage in having someone with a dedicated IT hat on handling communications for the organization. You get consistency of message, more timely notifications and have a central point to handle the policies and interpretation of those policies."
Core Security's Cowperthwaite says the task of communicating about security-related issues falls primarily to himself and the CIO, which keeps messaging fairly consistent. While most employees at Core Security are familiar with security practices and lingo, Cowperthwaite says it's incumbent upon security leaders to make sure they're talking about issues and policies in such a way that has impact on the business.
"You can't just communicate what the policies are, you have to explain why the policies are that way and what the impact would be on the company if they aren't followed," Cowperthwaite explains. "You also have to be able to communicate the policies in such a way that you are working to gain agreement rather than being a dictator."
Another upside to having help from a communications professional is knowing the best way to get the message out so it has the optimal impact. In Cowperthwaite's previous role at the health care organization, the communications team turned security messaging into a multi-channel campaign that was supported by posters and other materials in common meeting areas--tactics he says, non-communications professionals like himself might never have thought of.
While that kind of expertise isn't as important to his role today in a security-focused firm, Cowperthwaite says he wouldn't think twice about enlisting dedicated communications help if he ever moved on to another organization. "If I was a CISCO at a non-security company and the role didn't exist, I would prioritize it very highly on my list of desired hires," he says.