Communication Strategies to Improve Business Relationships

Peer Practice
Written by Linda Luty

David Ortiz

Chief Information Security Officer

Church & Dwight

What makes a person a good communicator? Answers may vary, but one commonality is the ability to read a room. This is particularly important for cyber leaders who are communicating complex information to groups that often do not have technical expertise.

David Ortiz, CISO at Church & Dwight, understands that for a message to be received well, it must be crystal clear. When communicating across the business, the message should be “packaged up and delivered appropriately, talk in business terms depending on who you're delivering it to,” says Ortiz. Perfecting story-telling and the “elevator pitch” are essential for CISOs looking to articulate their roadmap and gain buy-in.

Building better business relationships has long been a topic of conversation in the information security community. This is likely due to the simple fact that there is no silver bullet for how to best share cyber directives, discuss cyber risk and the threat landscape or communicate cyber maturity. 

“I always go back to ‘speak the language of the business’ and understand what is important to them,” says Ortiz.

"It's really about building the business relationship.”

Business relationships happen at all levels in the organization, and cybersecurity needs to build strong relationships throughout the business. No matter the size of the organization, understanding risk and providing digestible security awareness is critical to a successful program.

It’s important to remember it’s not just the technology side of cybersecurity that matters; there is a lot more to that relationship that must be in place to be successful. “All leaders are still learning every day and should embody an attitude of service,” says Ortiz. 

"We're elevating cyber into a business decision.”

Internalizing this mentality can help shift the conversation toward business outcomes, which along with “protecting the enterprise from cyber threats” should be the primary focus for CISOs.

When working with decision makers across the business or updating the C-suite and board of directors, “we're likely not going to have a conversation about the latest and greatest tool we put in. We need to talk about the outcome of doing that and how the technology improves the business,” says Ortiz. “I may be focused on implementing a new security tool to protect user IDs, but ultimately, it is all working toward the goal of enabling user IDs in a secure, efficient manner, keeping people productive and moving the business forward.”

Ortiz’s advice to other CISOs is to think about how to position the cybersecurity roadmap. “Steer away from ‘security is a technology problem,’ and towards ‘cybersecurity is a business decision.’”

“If you're getting into a line of business conversation, you're going to have to tailor that message a little differently. And if you're talking to security professionals or technology partners, the message is going to be somewhat similar, but the delivery could be different along the way,” says Ortiz.

And at the end of the day, the goal is “making sure people walk away aligned with the organization's cybersecurity initiatives, and if they have more questions over time, they can come back to you. It’s important to leave that communication channel open.”

"Have you governed yourself to prioritize the business priorities first?”

One challenge in innovation is trying many new strategies, technologies or processes and failing to regularly take stock of the entire inventory of tasks and responsibilities. A CISO’s ability to self-govern and take things off their plate is one way to be more efficient and better lead the cyber side of the business.

“It’s important to govern and make sure you're not collecting or doing things that are not providing value to the business any longer. People have a tendency to collect tasks and have a really hard time not doing them anymore,” Ortiz says.

CISOs can’t be “laser focused” on all tasks at hand – when everything is a priority, nothing is a priority. Ortiz suggests governance as a way to prioritize initiatives and operational tasks that will advance the cybersecurity program and business in tandem. 

“It can be a tough decision to make, and at times you have to say, ‘we're going to stop doing that,’ or, ‘we're going to re-prioritize,’ as opposed to us continuing to do something,” says Ortiz. But to focus resources appropriately, move the business forward and keep it safe, the ability to govern is fundamental.


Special thanks to David Ortiz and Church & Dwight.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.