Communication is an essential part of the CISO's role, but too often we get it horribly wrong. That was the message laid out by communications expert David Porter at the RSA Conference in Europe recently.
We know that a large part of the CISO’s role is to influence, cajole and encourage our business leaders to make the right choices, enabling our firms to manage risk and move forward safely. Creating compelling communications is a differentiator, but too few CISOs excel in this area and this is holding back their credibility, their career and the risk posture of their employers.
David Porter proposed spending a great deal more time than most of us would be used to, refining the introduction to any piece of communication, and actively crafting it to flow from ‘Situation’ (“Once upon a time there was a beautiful princess..”) to ‘Complication’ (“..who was imprisoned in a tall tower by her wicked step-mother”). That sounds pretty standard, but it was interesting how David then analysed different RSAC submissions and showed how even the professionally written ones deviated from this model, and how much clearer they were once the rule had been applied.
This simple setup opens up the readers/listener's mind and plants questions that seek to understand how the story can be resolved, and stories are powerful communication tools.