Chapter 7. Step 4: Use Communications to Get the Message Out

I’m a huge believer in the power that communication, education, and awareness can have in your pursuit to secure your company’s information assets. Of all the activities I give my time to as a CISO, none is more important than or has the ROI of communications. If I could do only one activity in the InfoSec space, it would be this one.

This topic is so important that for over 20 years and multiple CISO gigs, I’ve always had a dedicated communications person supporting the team, amplifying our work, and broadcasting InfoSec messages throughout the company. If InfoSec were a body, communications would be the heart of the program. If you’re not focused on communications as a CISO, hopefully this chapter will give you some things to think about.

What Is a Communications Program?

A communications program (or simply communications) is the thoughtful delivery of targeted and relevant messages to the various departments and teams throughout the company that inform them of their responsibilities for cybersecurity. A communications program is proactive about security, and the goal is to provide information to staff that causes them to take actions toward greater measures of security over the information assets under their control. Communications is the vehicle by which staff members understand their responsibilities for safeguarding sensitive digital assets.

Communications encompasses awareness, education, and training. It’s the ...

Get The Cybersecurity Manager's Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.