Cybersecurity communication is the foundation of relationships between security teams and the rest of the organization, and can ultimately help address risk more effectively.
Instead of being seen as "the department of no" and an impediment to business goals, experts said security teams are being accepted as a necessary piece of business success.
Security teams now understand the needs of the rest of the company and have shifted to become "the department of yes," said Justin Berman, former head of security for Dropbox, during the 2020 HackerOne Security@ conference. Effective communication between the security team and C-suite has been key to this shift and to get the entire organization to understand why risk management efforts are needed.
"There's some amount of risk you're willing to take because you can't fully mitigate security risk," Berman said. "What you need from your board is an agreement about what the tolerance for risk is going to be, so that you can act within that tolerance."
A strong organizational cybersecurity culture shouldn't focus specifically on the security team. It requires an organization-wide effort to strengthen cybersecurity communication between the IT team and other parts of the company -- as well as with outside vendors.
Non-adversarial, transparent communication between IT and the rest of organization is a big part of this strong cybersecurity culture. IT teams have traditionally shamed users who made security mistakes, Berman said, and this led to an adversarial relationship with the rest of the organization, while making employees less transparent when they do make mistakes.
"As we move into a world in which security teams see their responsibility as helping partners get the right resources to fix security problems or to participate in fixing the security problems, then we're in a much different world in which [others are] happy to have transparency," Berman said.
Once the CISO understands corporate risk tolerance and IT is more transparent with the rest of the organization, then cybersecurity relationships can become partnerships, according to Perry Carpenter, chief evangelist and strategy officer at KnowBe4, a security awareness training firm based in Clearwater, Fla.
"Many security teams have realized that they should operate as partners rather than obstacles. As such, there is a much friendlier relationship between security departments and the rest of the organization," Carpenter said. "Security culture is always a subset of -- and influenced by -- the larger organizational culture."
CISO communication and collaboration
Communicating security goals and understanding the risk tolerance of various parts of an organization may not be as easy as it sounds, however, because personal goals can get in the way. Without alignment between business incentives and security goals, security teams are bound to meet resistance, Berman said.
How a CISO communicates is a big factor in success, but experts noted communication can be tricky. Understanding the tech side of security is important, Carpenter said, but a CISO must also be able to build critical relationships with company stakeholders.
"The CISO needs to realize that security is, or can be, a political football within an organization," Carpenter said. "CISOs who understand communication and relationships will be much more successful than a techie CISO who lacks good communication skills or doesn't know how to manage security in a risk-based manner."
CISOs' backgrounds and training play a big part in how well they may connect or communicate with others. Berman noted that the skills and traits that make CISOs successful from a security standpoint are less useful at the executive level.
"We [as CISOs] are taught to prepare for the worst. Those traits can lead to isolationism and paranoia and deeply inhibit your ability to connect authentically with other people," Berman said. "When you get out of that headspace and start to assume everyone is trying their best given the constraints they face, then you can leave behind those [negative] traits in favor of collaboration and partnership."
Security teams and vendors
Building strong cybersecurity relationships and cultures based on communication, collaboration and partnerships shouldn't just be limited to within an organization. It should extend to vendors as well.
If there is a lot of churn in security vendors within an organization, for example, the risk is that the relationship can be viewed simply as transactional, Berman said.
"When I look for security vendors, whether for services or technology, [I ask,] 'Is this vendor going to be a long-term partner for us?'"
As the relationship between vendors and security teams has changed, their cultures have been diverging, said Adam Laub, general manager of Stealthbits Technologies, a data governance firm based in Hawthorne, N.J.
As vendors have become more specialized in their offerings, security teams have been forced into more generalized roles, Laub said. This makes communication about security needs crucial.
"The expectations of vendors, and the effectiveness and value they provide, has increased to new heights," Laub said. "Ultimately, a healthy partnership between the customer and vendor is one of collaboration, timely and transparent communication, continued education and a demonstrated ability to increase visibility, reduce risk and secure critical assets."
The quality of the relationship between vendor and security team is often affected by communication. Carpenter noted that security teams that do their own research will often not interact with vendors until much later in the buying cycle, so they will be influenced more by vendors that provide valuable insight via free white papers, webinars or videos.
"Trust and credibility are always being built and are always at stake. The organization usually extends trust knowing that the vendor is a subject matter expert and has shown value in the due diligence and research phases," Carpenter said. "This allows for long, ongoing relationships based on trust and continued performance."