Communications is key to the successful CSO

Chief security officers (CSO) need to make communication one of their key skill areas according to experts at the Black Hat USA 2009 conference.

While technical skills are essential one of the key focuses of the successful CSO must be knowing how to explain the issues of computer security to a variety of different audiences delegates heard. This was vital to getting things done properly.

“Translation half the time is what I have to do, explaining what it means in business terms,” said John Stuart, CSO for Cisco.

Management want nothing to do with the technology side of attacks at first. Later, when they have 15 minutes, they might want to know the technological details but for the most part its business that is important.”

“I agree a thousand per cent,” said Bob Lentz, CSO of the US Department of Defence (DOD).

“There’s a very sig education that has to go on. It’s a big part of our game to move from an IT environment to a business one.”

He said that every morning at 7.30 am the DOD security team had a review meeting. Public affairs were the first to speak, covering any breaking news stories, then legislative affairs gives a talk on what Congress is thinking and only then do the security team get to talk over issues.

Overall business was getting a better idea of what was behind attacks but there is still a huge amount of technological ignorance to get over said John Johnson, CSO of John Deere.

“The message has to be tailored to the audience,” he said.

“They want to know how we are doing. If you don’t have the ability to go to your data and give them a meaningful response they are going to wonder why you have your job.”

In some cases knowing when not to communicate things is also important. John Stuart said that at Cisco he had refused to sign off on the security of certain product groups. This led to them developing their own internal security groups to examine products, which increased security without hurting his budget.