In a panel session at Infosecurity Europe, four divisional CISOs discussed collaboration and working with their respective businesses.

With each member representing the global LexisNexis organisation, moderator Paul Watts asked how the four CISOs work together and ensure messaging is suitable for their divisions, Jeff Jenkins said each has their own business to understand and know what each business wants - but one risk profile would not work. “We collate through a framework and put it to the board,” he said, selecting the 10-15 elements that mostly affect you.

Des Massicott, CISO of Infosecurity Europe organiser RX Global said each department has themes that are relevant to them, whilst John Kelly, CISO of Elsevier confirmed that there are separate budgets and programs, and this creates different risk priorities.

Business Language

Watts moved on to the challenge of “not talking the language of business” and the importance of context and challenges faced when communicating technical risks.

Maritsa Santiago, CISO of LexisNexis Reed Technology said each division’s audience is different and you change the message to them, as you would to the risk owner as they are different to the business leader. “Also understand who the audience is to drive context,” she said. This involves considering how best to receive the message, and take to broader audience.

Asked by Watts how they verify their messaging, John Kelly, CISO of Elsevier, said that messaging tends to be on the quantitative side, and in the business context. “We’ve been trying to teach when we should be on the business side, as we build things to consider financial indicators and we feed in security data and we build a risk profile,” he said. 

This allows the CISO to focus on where to prioritise and ‘buy down’ risk, as the board is making those decisions every day. Asked by Watts if there is a change between quantitative and qualitative, the panelists said there is a need for both as you can “evolve to one as trust it and can map it,” Kelly said.

Watts said there is a need to sell the need to boards, and that can come naturally, as practitioners do have blind spots, “but the way we negotiate is what we focus on.”

Santiago said there will always need to be improvement, as well as to learn and grow, and know who we are pushing to and define your communication. Jenkins agreed, saying that you need to have a sales pitch so you know who you’re pitching to. “Most people you work with think about themselves and not the group or environment, and getting people to do that is a challenge, and that is where sales pitches come in.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.