#Understanding Your Audience for Effective Impact: Insights from CISOs

Security leaders must focus and adapt their messaging to effectively use risk management in navigating a chaotic cyber landscape, according to a panel of Chief Information Security Officers (CISOs). During a discussion on the final day of a prominent security event, these leaders from LexisNexis and RX Global emphasized the critical role CISOs play as business enablers and “translators” of risk to senior leadership.

This significance is heightened in a landscape rife with AI-driven threats, insider risks, escalating business demands, and rapidly changing technology.

“You have to ensure that your message is tailored for the audience you are addressing,” stated Maritsa Santiago, CISO of Reed Technology at LexisNexis. “When communicating with a risk owner, the approach differs from that taken with a business leader. Consider how they will best receive that information: should it be more qualitative or quantitative? We must enhance our ability to communicate appropriately with our specific audience to guarantee our messages resonate.”

Jeff Jenkins, CISO of LexisNexis Legal & Professional, reinforced this point with a Formula 1 analogy. He explained that suggesting to an F1 team that they “drive slower due to frequent crashes” is a miscommunication. Instead, the focus should be on how to enable faster performance and greater success: “Understanding your audience is crucial, as the solution will vary greatly from one situation to another.”

John Kelly, CISO at Elsevier, stressed the importance of understanding business terminology. “For too long, we have attempted to teach the business our cyber language, when we should have focused on learning their business language.”

Santiago also highlighted the necessity of strong communication skills and a solid grounding in the data-driven aspects of the CISO role. “You’ve got to sell – the ability to influence is significant. However, possessing the skill set to generate supportive data for your requests is essential,” she noted.

Embedding CISOs into the Business

Using appropriate language is vital for fostering a culture of security awareness within organizations. Santiago articulated that “building security awareness across the organization is crucial. Ignorance is not an option, especially as we face daily phishing attacks.”

Educating employees on the importance of security and its relevance to them personally is key to broadening their understanding. To achieve positive risk management outcomes, CISOs should strive to eliminate traditional silos between security and business functions. Des Massicott, CISO at RX Global, emphasized that “we should not view ourselves as separate entities. A disconnect will always exist if we do. The concept of ‘shift left’ encapsulates the importance of integrating security across all areas, from security champions to governance, risk, and compliance to operations.”

Paul Watts, CISO research and advisory lead at the Information Security Forum, concurred. “Practitioners must invest time in learning about the business and actively listening to address risks effectively. Being inside the chaos limits one’s ability to manage risks effectively.”