When Eric Cowperthwaite was heading up IT security at a major healthcare provider, a dedicated communications manager was his best defense to ensure the 75,000-plus employees were aware of security best practices and understood risk. Now in a similar position at a small player in the security software space, Cowperthwaite doesn't have the budget for such a role, although he admits it's not as critical given the size and focus of the firm.
"Today, I'm surrounded by 200 people who are engineers, programmers, and technical support staffers all speaking the same language and who accept the imperative of security more easily," explains Cowperthwaite, vice president of security & strategy at Core Security, a 200-person provider of an attack intelligence platform. "It's not a huge challenge here to communicate security and IT issues inside this company."
Few security organizations have the budget for a dedicated communications staff position, but a growing number of security chiefs, like Cowperthwaite, are intrigued by the idea given the recent number of high-profile breaches. For one thing, a communications specialist has the ability to translate complex security concepts and technology into messaging that speaks to the average user, helpful in fostering buy-in for stricter security policies. In addition, a communications professional has extensive knowledge of how and where to effectively communicate key security messaging-- essential to encouraging user adoption of new policies and for keeping the greater organization in the loop about ongoing changes to the threat landscape.
While it's not necessarily a best practice for a company to have a dedicated communications role focused on security issues, larger companies should definitely consider the option given that they are prime targets for data hacks, according to Kristen Lamoreaux, president of Lamoreaux Search, an information technology-focused placement firm.
Larger firms have a more varied user base, and like any critical message, security issues need to be communicated appropriately for the target audience, she explains. For example, the importance of frequent password changes needs to be explained differently to Baby Boomers, who will likely be more accepting of the requirement compared to Millennials, who generally don't view security as a threat. "In larger companies, you need to craft messages based on demographics and that requires much more of a marketing focus," she says.
Less tech talk
Jay Leek, CISO of The Blackstone Group, a global investment and advisory firm, doesn't have access to a dedicated communications specialist, but absolutely supports the idea. He says security professionals need to change how they talk about key issues to be less technical and more relevant to a mainstream audience. "If you can't communicate effectively about what you're doing, people are going to duck when they see you coming because you're not making any sense," he explains. "Your ability to articulate what their role is and why it's important to the organization in a way they can understand is the only way to change organizational behavior."
Sign up for MIS Asia eNewsletters.