Beyond Fear, Uncertainty and Doubt: A Glimpse Inside Today’s CISO Playbook

This column was produced by (ISC)² U.S. Government Advisory Council Executive Writers Bureau. Patrick D. Howard, CISSP, CISM, Kratos Technology & Training Solutions, was lead author of this peer-reviewed article.

There was a time when chief information security officers employed fear, uncertainty and doubt to motivate adherence to their cybersecurity programs. In particular, they would use FUD to get the attention of executives and managers to communicate program needs and to gain recognition of the CISO’s role. CISOs could gain grudging support by peddling doom at every turn. A CISO’s ability to scare the CIO about a vulnerability or bring sweat to the brow of the CEO about a risk to the organization proved to be a highly effective tactic.

Over time, we have seen the FUD rhetoric is losing its effectiveness in garnering support for an enterprise cybersecurity program. Threats to the organization’s sensitive data and critical systems are now generally understood, and fear of compromise or outage is constant at the strategic and operational levels of the organization.

Consequently, CISOs now operate in an environment where adverse impacts are generally recognized and where the CISO’s role in IT risk management is established and accepted. The time has come for CISOs to change their strategy.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

To increase the understanding and involvement of stakeholders in the organization’s cybersecurity program, there are a number of actions the CISO can take, but none more important than developing a cybersecurity program outreach approach.  

Planning is inherent to the CISO position, and successful cybersecurity programs rely on thoughtful and continual planning. Requirements for increasing understanding of the program, communicating program needs, increasing involvement in achieving program goals and building trust in program officials must all be baked into that plan.

The Cybersecurity Program Outreach Plan serves as the CISO’s playbook for marketing the cybersecurity program internally and should address the following elements.

1. Objectives: Establish why the outreach plan is necessary and define its purpose. Generally, the plan aims to gain support for the enterprise IT security program but should also build credibility and trust in the CISO (and his/her support staff) as the organization’s lead for managing cybersecurity risk. The organization must know who the CISO is and what he/she is responsible for.

2. Stakeholders: The plan should identify to whom the outreach efforts are directed toward. In reality, this should include virtually every person in the organization and should be categorized so that outreach efforts can be tailored for success.

3. Timing: The plan should identify the frequency and periodicity of outreach activities including periodic meetings established in the organization’s strategic plan or by operational needs, regular awareness sessions presented collectively or one-on-one sessions according to the needs of key stakeholder groups. The outreach plan is most effective when initiated by a newly assigned CISO within the first 30 days of assignment.  

4. Methods: Targeted messaging according to stakeholder groups is critical to increasing understanding and visibility. This includes developing targeted briefings or presentations that speak to stakeholders’ specific situations. Executives and business unit managers should be provided with metrics in terms and format they can understand and further discuss. The plan should emphasize the importance of listening to stakeholders to identify issues and concerns, and then prioritizing the delivery of results that respond to those concerns. Positive and successful engagement in solving a manager’s or business unit’s problem is an ideal way to develop champions that help to build and maintain support for the program.

5. Location: Outreach efforts must take place wherever stakeholders reside, from the executive suite to staff meetings. Wherever there is an established gathering, the CISO should attend and come prepared to deliver a timely cybersecurity nugget that adds value for the audience. While face-to-face discussions often provide the best results, the CISO should communicate with all business units within the organization—whether in person or virtually—and spend time discussing their unique issues.

Enhancing the visibility of cybersecurity in the organization should be a key goal for the CISO who is the face of the program. In exercising leadership of the organizationwide cybersecurity program, the CISO must take initiative and demonstrate personal involvement.

The CISO cannot afford to wait for problems to come to their attention, but must reach out to stakeholders to establish credibility as a problem-solver and to gain trust. Development of a program outreach plan is an effective means of achieving this goal. According to today’s CISO playbook, the “win” of program effectiveness is achieved through planned outreach rather than a tactical employment of fear, uncertainty and doubt.