A culture of security is one of the most important things that you can have in your bank or credit union. It will make it easier to mature your cybersecurity program and will make it more effective and efficient.
There are several key pieces of a culture of security in your organization, but one of the areas I want to focus on today is communication.
Communication among the various stakeholders is critically important in having a culture of security in community banking. Maybe one of the most important channels is the communication between your technical staff and your management team.
When I talk about technical staff, I mean your Information Technology team, your Information Security team, your Information Security Officer (or CISO), and other vendors/partners that may be involved in filling some of those roles. When I talk about the management team, I'm talking about your business unit leaders, your C-Suite (CEO, CFO, COO, etc.), and your board of directors.
The challenge with good communication between those two groups is that oftentimes, they're speaking different languages and that can be very frustrating. So today's blog post is the five tips for your technical team to successfully communicate with your management team.
Next week, we’ll post the 5 Tips for Management to Successfully Communicate with Technical Staff
Tip #1: Be Approachable
There are several parts of being approachable, but the things that come to mind to me are to be patient, and understand that the people you're talking to may not understand the technical components of what you're saying. Make that okay. Make it safe for your audience to ask questions. Be an educator to them. They don't know this stuff like you do, and that's okay; that's what makes you valuable to your organization. If you can be a resource to your management team, you will bridge the gap and begin to get buy-in on the things that need to be done in your financial institution.
Tip #2: Speak in Terms of the Business
If you're pushing an initiative, does it reduce risk? Does it save money? Does it increase revenue? If you can use dollars and percentages, you're going to get a lot further along than using very generalized or vague terms such as: “it would be really cool if we did this” or “it would be really bad if that happened”.
Understand that your management team audience has other things that they have to take into consideration when making decisions. There's a bottom line at play. There are operations in the mix. There are customers that they have to worry about. If you understand that going into the conversation, you'll have a better chance of being successful.
Tip #3: Don't be a Victim
Oftentimes I speak with IT folks and ISOs that always have a sad story to tell about how no one values them, no one listens to them, and their ideas are never appreciated. And whether that's true or not is beside the point – they need to stop – it pushes people away.
If that's the message and the vibe that you're putting out into the world you're going to have a tough time being successful in anything you do. Don't be a victim.
Tip #4: Simplify the Concepts
I think sometimes it's a bit of an ego thing. I think sometimes it's a bit of laziness. When technical people rattle off jargon without any consideration for the other people in the conversation it tends to build walls rather than form connections.
If you can avoid jargon and acronyms, you're going to help people understand what you're talking about and you will come across as more approachable (see Tip #1). Management will have a higher likelihood of a buy-in when they actually understand an idea; if not, they are more likely to push back.
Another thing I like to do is use analogies where possible. They can help bring people up to speed in their basic understanding of a concept very quickly.
When you can simply explain a concept yourself, it usually indicates that you have mastered the topic. Do your homework ahead of time and simplify the concepts for your management team.
Tip #5: Stop Being the “No” Police
When a business unit, decision maker, or even a fellow member of your management team comes to you and asks about a new project, if your answer is always “no”, they're going to stop asking.
Instead, be a solutions provider. Ask yourself, how can we make this work? Let the other person know that it may take a lot of resources or a lot of time, but you're going to look into it and see what can be done. The Management Team will begin viewing you as a partner when you take this type of approach and will value your opinion.
Closing
Communication is so important to information security programs, but it's not easy to do. Hopefully, you found these five tips to be helpful in strengthening your culture of security.
Shoot us an email at support@bedelsecurity.com with any questions you have.
Or if you'd like to know more about what an effective information security program might look like at your community bank, check out our CISO Assessment Page.
Culture of Security: Critical Conversations
https://www.bedelsecurity.com/blog/culture-of-security-critical-conversations
5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport
Culture Counts
https://www.bedelsecurity.com/blog/culture-counts