{"id":16202,"date":"2018-10-18T16:00:02","date_gmt":"2018-10-18T16:00:02","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=86140"},"modified":"2018-10-18T16:00:02","modified_gmt":"2018-10-18T16:00:02","slug":"ciso-series-building-a-security-minded-culture-starts-with-talking-to-business-managers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ciso-series-building-a-security-minded-culture-starts-with-talking-to-business-managers\/","title":{"rendered":"CISO series: Building a security-minded culture starts with talking to business managers"},"content":{"rendered":"
<\/div>\n

Cybersecurity is everyone\u2019s business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the \u201cCISO series\u201d to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.<\/p>\n

If you are like many of your peers, one of the initiatives that you\u2019ve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.<\/p>\n

There\u2019s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the world\u2014in Asia, Europe, North America, and South America\u2014often accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, it\u2019s this team. You\u2019re tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. What\u2019s more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.<\/p>\n

Turn business managers into security evangelists<\/h3>\n

If you have any hope of turning the VP of Sales into an advocate you need to frame security \u201cin the language of the business\u201d by \u201cquantifying business impacts.\u201d You\u2019ve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he\/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.<\/p>\n

Five communication strategies proven to work<\/h3>\n

Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:<\/p>\n