Scott Berinato: I now realize that business leaders are consumed with so many responsibilities that you'd be lucky to get six minutes of their time. I'm not saying it's impossible to get business execs to hear what you're saying about risk, but it's become more clear to me why the disconnect exists and will continue to. There's no secret formula that will get CEOs to understand, care about and consistently consider what are--to them--remote, vague threats. If it's not an immediate threat, it's hard for them to focus on it.
I've learned this is not something that will be fixed or overcome--it's just something that has to be managed. The best you should hope for is an executive who will empower you to be a strategic part of the organization and will actually give you the floor to talk about what you need to talk about. People trust leaders, so the most effective thing a leader can do is show people, "Hey, this stuff matters." That's more powerful than trying to get them to understand in detail how online threats work.
[Also read Security and business communication 101]
That has shifted my thinking from trying to effect a massive culture change so everyone is thinking about security all the time, to realizing that that's impossible. What is possible is being able to communicate on a regular basis with the right people.
Blake: It's very difficult to communicate at scale. It's much more effective to communicate one-on-one. With my financial advising clients, I could send a letter out and some might take it to heart, but if I sat down with them, it would have a significant impact. The same is true when you navigate corporate America. The security department can send out emails all day long, but they still need to make individual connections. You need to convince leaders and key influencers one-on-one, who can pass it on through the rest of the organization.
A mistake some CISOs make is focusing just on the CEO, but sometimes it's more effective to convince everyone else who the CEO listens to.
Drawing a parallel with being a financial adviser, a lot of times when you're dealing with a couple, often one will defer to the other, but it's not always obvious which is which. There are key influencers on the other side of the table, and being able to influence them is key to being convincing.
Brown: There's a different dynamic when you're working in the business versus for the corporate entity. In the business, you're dealing with budgets and outages and screaming customers.
When I take somebody from corporate with a $100,000 pet project out to the manufacturing floor and show them how many tags and labels we need to make to make $100,000 in profit, it blows them away.
On knowing end users: