Speaking on the opening day of the ninth annual (ISC)² conference in Orlando, Florida, cyber-risk strategist Chris Veltsos said that CISOs need to change their mindset when it comes to communication.
Veltsos, aka Dr.InfoSec, said CISOs are bamboozling boards with “techno babble” and failing to explain in real terms what could happen to a business in the event of a cybersecurity attack.
In an hour-long presentation entitled “5 Ways to Improve Your Cyber Risk Communications,” Veltsos told a packed room: “The mindset of cybersecurity professionals is that business leaders need to learn more about our work. Nah-uh. We work for them. Remember that.
“Think of yourself as a translator. Find analogies that have nothing to do with IT or cybersecurity and explain how a cybersecurity threat could create problems for the whole organization.”
Veltsos implored security professionals to be mindful of their language when communicating with colleagues who do not have a technical background.
“We have to make it so that people look forward to having conversations with us rather than thinking ‘oh no, it’s the IT guys.’
“As security professionals, we tend to use a lot of warlike language, and that doesn’t always resonate well with others, so it’s something you should avoid. We need to map our language to something that’s important to them.”
CISOs also need to be careful when selecting what information to present.
Veltsos said: “Pick the right level of granularity. Leave out the unnecessary details and use only good information. Get the tone and the language right and think about timing, especially if you are giving bad news or asking for money.”
Asked what CISOs can do outside of work to improve their communication skills, Chris Veltsos told Infosecurity Magazine: “Join Toastmasters or if that’s not available, there’s actually a tech version called Techmasters in some cities. I would also say challenge yourself to do more public speaking and to do more writing and you will grow tremendously just from pushing yourself outside of your comfort zone.
“Because cybersecurity or IT is in our fabric, we just kind of exude that all the time instead of being humans and relating on a human level, using general statements that are not IT security focused and asking questions like, ‘Hey, what did you do for fun this summer?’
“If you’re too much of a techie, you might need some coaching on how to approach people outside of work.”