Mind Tricks CISOs Already Know — A Methodology for Delivering Effective Communication
Effectively communicating about cybersecurity is an increasing and layered challenge for CISOs, security leaders, communications professionals, business executives and boards.
CISOs are mission driven, focused on securing and defending. Anything that is not directly related to securing or defending may get deprioritized. So, serving up actionable impactful and behavior changing communications doesn’t always take top billing for security leaders as they simply don’t have the time.
What if there was a way to deliver more effective messages to the diverse stakeholders of security — executives, board directors, clients, partners — where we could also measure effectiveness, improve engagement and leverage the skillset and training cybersecurity practitioners already have?
CISOs should be leveraging their security training, in anticipating and reacting to social engineering and psychological operations, to become more effective communicators.
First, let’s review some foundational concepts
Cybersecurity is vast and intricate. The field that we call “cybersecurity” includes many different domains and functions. Frequently it means different things depending on the audience or industry.
One of the areas that practitioners train in is to think about the threat vectors and attack surface while considering the motivation of criminals. It’s dirty work. Being able to think like the adversary is one way that cybersecurity controls are hardened. However, the same conditioning sometimes means that security practitioners unnecessarily constrain their communications. Sometimes, being too precise and too direct can impede effective communications.
People connect with things that matter to them. Cybersecurity is something that matters to individuals, corporations and government agencies equally.
Cybersecurity is privacy, it’s safety, it’s financial, it’s trust. It’s something that carries weight and has purpose and meaning for individuals as well as organizations.
Different communities will engage with and process information differently. Understanding the different stakeholders and their frame of reference improves our ability to connect with them.
Unconscious bias is real and unavoidable. The environment that we grew up in, our education, our values, our experiences all contribute to shape the lens with which we experience life and process information. Understanding the lens through which your stakeholders will experience and process information should inform how it is delivered.
Doing good is trendy. Brands have recognized that consumers want to put their money and support behind organizations that are committed to making the world a little bit better than when they got there.
As we continue to increase our dependence on technology, companies will distinguish themselves by being responsible stewards of our data, privacy and security. Recognizing this as a competitive differentiator and sharing that message will resonate with other executives outside of the security function to help build trust and increase engagement, possibly even with clients, industry partners and investors.
Hierarchy of Cyber Engagement Explained
Every great communicator, and even the not so great communicators, will remind us that we need to “know our audience” when preparing a message. But what do we actually need to know about our audience? And how do we use that knowledge to prepare the message for the greatest success and impact? Let’s apply the principles used in Psychological Operations and Social Engineering to more effectively craft and execute a message to deliver measurable impact and active engagement. In this hierarchy of cyber engagement, we go a step further by defining what motivates people to take action and to have an ownership stake in the ongoing results.
1. Success & Ego — What is the target’s frame of reference?
More acutely than “knowing your audience,” learn their professional success drivers and corresponding insecurities. By understanding how your target audience is evaluated and rewarded at work, and what they may feel insecure about (or ‘worry about’) we can better understand not just what message they will be more inclined to connect with, but how to deliver that message for maximum success.
2. Core message — Call to action? Warning? Routine Update?
What is the message that we need to get across and what (if any) action do we want to drive? And be clear about the reason for the message — is there an expected action or response? If there isn’t why even bother with sending the message, at least for now?
3. Tailor engagement — Chart the best way to deliver the message (timing, format, sender).
Once we know what we want to say and to whom, then we need to consider what is the best way to deliver that message? Should it be in conversation? A presentation? A memo? Who should be the sender? When is the optimal time to deliver the message for impact?
4. Reward & Award — Positive recognition drives ‘stickiness’ and continued support.
It’s been said that you win more bees with honey, and the same is true with engagement. The more you can reward and award your stakeholders for their support the more engaged they will be. What do your stakeholders value and is it something you can deliver? This isn’t a bribe, it may be recognition or access that previously wouldn’t have been available if they weren’t engaged. For example, what if they were given the opportunity to participate in an industry event? Or had budget to participate at a conference? Or were invited to deliver a keynote address? What would feel like meaningful recognition that would encourage their ongoing support?
5. Reinforce — Empower, praise, and reinforce success enabling the opportunity for redirection.
Once you have a stakeholder who ‘gets it’ and connects with the overall mission and greater purpose, don’t just sit back and smile with pride. Regardless of how senior or junior they may be in the organization, check in with them casually. Use the time to allow them to beam boastfully about their success or their achievement, ask questions, praise their progress and personal development. And once you have solidified your camaraderie around a shared purpose, consider if you need to make any refinements to the message.
CISOs are trained to anticipate the needs of their environment, then prioritize and implement the right tools. When security leaders apply the same paradigm to communication, they will find that they are engaging with more impact and better outcomes.