Source: www.infosecurity-magazine.com – Author:
Security leaders must focus and adapt their message to their audience if they are to successfully use risk management to tame a chaotic cyber landscape, a panel of CISOs has argued.
On the final day of Infosecurity Europe, security bosses from across LexisNexis and RX Global discussed how CISOs play a vital role as business enablers, and “translators” of risk for senior leadership.
This role has added importance given a landscape in which AI-driven threats, insider risk, growing business demands and fast-evolving technology proliferate.
“You have to make sure you’re changing your message for the audience you’re speaking to. When you’re speaking to a risk owner, that can be different from speaking to a business leader,” explained LexisNexis Reed Technology CISO, Maritsa Santiago.
“How can they best receive that message? Would it be better for more qualitative or quantitative-type information? We really have to get better at […] taking it back to that individual audience […] in order to ensure the message is making its way to being heard.”
Read more on CISO skills: CISOs Dramatically Increase Boardroom Influence but Still Lack Soft Skills
Jeff Jenkins, LexisNexis Legal & Professional CISO, amplified the same message using a Formula 1 analogy.
“You can imagine a risk practitioner in an F1 business saying ‘you need to drive slower because we’re crashing all the time.’ It’s the wrong message to the wrong audience at the wrong time,” he said.
“It should be: ‘how do we enable you to go faster and win more?’ You really have to understand your audiences, because the answer is never going to be the same in two different situations.”
Elsevier CISO, John Kelly, added that understanding the language of the business is critical.
“For too many years we’ve been trying to teach [the business] the cyber language and the quantification side when we should have been learning the business side,” he said.
Santiago also cited the importance of communication, as well as a grounding in the data-driven side of the CISO role.
“You’ve got to sell – the ability to influence is huge. But you have to have the skill sets behind it to be able to produce the data to support what you’re asking for,” she said.
Embedding CISOs into the Business
Using the right language for the right audience is also vital to building a secure-aware culture, said Santiago.
“Building security awareness across the organization is extremely important. You can’t live in a level of ignorance, especially as […] we’re all getting hit daily by phishing emails,” she explained.
“One of the things we can continue doing is to educate the business on the importance of security and why it should matter to them. If you can bring it back to the individual […] it helps them broaden their scope.”
In order to deliver positive risk management outcomes for the organization, CISOs should do as much as they can to break down traditional silos with the business, said Des Massicott, CISO at RX Global.
“We shouldn’t see ourselves as a separate entity. If we do, there’s always going to be that disconnect. ‘Shift left’ means everything from security champions to GRC [governance, risk and compliance] to operations,” he said.
“We should try as best as we can to insert ourselves into the day-to-day business running. Our leaders today are perhaps more invested in that because they come from a background where they’ve gone through a cyber event.”
Paul Watts, CISO research and advisory lead at the Information Security Forum, agreed.
“The advice I’m hearing is, if you’re a practitioner and you’re not spending time in the business and learning the business and listening to the business, you’re never going to be able to […] address risk in a chaotic landscape because you’re sat inside the chaos.”
Original Post URL: https://www.infosecurity-magazine.com/news/infosec2025-know-your-audience/
Category & Tags: –
Views: 2