Step 1: Define Key Stakeholders. Security teams should think of every major business function or role as an audience, including the IT function. To influence effectively, it's important to understand who you're trying to influence and what their communications needs are. If you aren't certain of stakeholder needs, ask them.
Step 2: Define key messages for each stakeholder group. Once stakeholders are identified, it's time to define how the message will be delivered. Since different audiences need different messages, delivery mechanisms should be optimized for maximum comprehension. And since you can only communicate a certain number of messages at once, decide what they are and keep them concise. A great example of this is campaigns--steer away from communicating your , but focus on the behaviors that pose risks and require change, and develop your messages accordingly.
Step 3: Determine key communications campaigns. With messages determined, it's time to decide how to deliver them. Depending on the audience and their needs, one or more campaigns for delivery might be necessary. While there are many effective campaign communication delivery methods, such as brochures, emails, fact sheets, and SMS, among others, a thorough understanding of key audience needs will go a long way in selecting the best method.
Step 4: Executive security communications plans. This is perhaps the most important step, and can make the difference between a well implemented plan that focuses on the audience and a mediocre plan that focuses on the needs of the security group and its technical view of the organization. While one or more staff members can implement separate campaigns, it is essential for one person to oversee the general direction of the plan. This will guarantee that key messages are adhered to, as well as achieving a timely delivery of the campaigns.
CISOs need to continue to drive communications personally. Leading security executives make communicating business value a day-to-day practice. The individuals position security's value within the organization through a concentrated effort to identify the right stakeholders, to meet with them on a frequent basis, and to find ways to promote security's activities to business value. It's only through effective communications and relationship-building that you will promote your security group and get the buy-in, funding, and support that you need.