Group CISO & CTO
With security threats rising to the top of the business agenda, security priorities are becoming business priorities. It is crucially important for CISOs and CIOs to communicate cybersecurity risk clearly and effectively to other C-suite leaders and the Board. However, it’s not as simple as it sounds to be an agile changemaker in a global organisation while establishing a culture of security among thousands of employees.
At Compass Group, Group CISO & CTO Imran Ali and Group CIO Craig Charlton have been on a three-year journey to collaborate and improve the effectiveness of their communications about risk. At the start of their collaboration, they realised that Board leaders had varying degrees of experience with cyber risk and were not necessarily aware of the security approach at the organisation.
As Craig explains, “In 2019, I had been in the role a year, and we were still shaping up the Cyber Framework. I had gone to the Board to discuss overall Digital & Technology Strategy, and we digressed into details of cyber security. It became very clear that each Board member had different experiences, expectations and a different understanding of what we were doing.”
Many had concerns about our approach, which fundamentally came down to a lack of prior communication and articulation of how we were managing cyber security.”
A Risk Communications Journey
Craig says that they started collaborating on a new approach right away that year, and “it started very much as a risk articulation approach.” They have matured the communications since then both in the cadence and in the content. According to Craig, they now include the “status of controls framework mitigations, operational metrics and specific security initiative updates.”
One of the keys to their success, Imran says, is that “we are both 100% aligned on the importance of cyber security.” Imran also notes that the two leaders and their teams have regular communication to ensure they are aligned. “It’s important that we provide a joined-up view on our expectations from the rest of the organisation,” he adds.
Craig also notes that the status updates and metrics are communicated to the whole organisation, “so that the Board presentation is actually a culmination of our local, regional and global governance model and reporting.”
Strategies for Communicating about Risk
These are a few lessons they have learned about risk communications.
- Keep it simple. Imran explains, “Try to use business language when communicating about the risk,” as leaders from other backgrounds besides security and technology are more likely to understand. He goes on to say, “One of the ways to make it a bit more concrete and real for the business is to conduct desktop exercises with the country executive team. It helps them appreciate what the business risks are while at the same time developing muscle memory, so they know what they need to do if they ever are in a crisis.”
Craig echoes the point about simplicity, saying, “Keeping technical and abstract principles out and simplifying the message such that non-experts can understand has been absolutely critical – and that’s all down to Imran."
- Communicate up and down the organisation. “Employees are our first line of defense,” Imran says. “We send simple, short, weekly messages translated into 22 languages to over 110,000 knowledge workers to cover tips on what they should do or not do.” In addition to this ongoing communication, they organise an annual security awareness week and conduct regular phishing campaigns to help teams identify risk.
- Customise for different situations. Imran explains that they do not have a one-size-fits-all approach in a global company. Instead, he says, “We have at the group level defined a control framework with prioritised controls and a maturity model. Depending on the risk profile of a market, we agree on a target in terms of what controls to focus on and the maturity score that they need to achieve.” He adds that this approach of setting targets and monitoring them “makes it easy for the business also to understand where the gaps are.”
- Bring security to the forefront. For many security leaders, there are infrequent opportunities to communicate with the Board about risk, but Craig credits Imran with solving that challenge. “Without Imran and his security team, we would not be in a strong position to communicate to the Board with the cadence and detail that we do,” Craig says. “He has shaped up the overall governance and controls framework that involves me at the right times and made the reporting such that it transcends the organisation from security professional to non-executive.”
Communications as an Ongoing Practice
Both Craig and Imran credit their partnership for the improvements and success in measuring and communicating about risk. As Craig says, “Our partnership over the last 3 years has strengthened to the point where the process is now that we execute really well each time we go through the Board preparation.”
Communication between each other leads to strongly aligned communication to stakeholders.”
They both emphasise the importance of building a strong, collaborative relationship between the CISO and the CIO, describing it as a partnership built on “trust and respect for each other’s competence and experience.” They agree that “Cyber is such a hot topic in enterprise risk that the CIO must understand and be conversant in it at multiple levels. We talk pretty much every day.”
Imran adds that it’s important to recognise that security – and communicating about it – is a journey.
He advises other security and IT leaders to “identify your main risks and develop a plan to address them. Keep your plans ambitious, but achievable. Get your teams involved and engaged to drive the improvements.”
One thing they have learned, according to Imran, is that “trying to frighten the Board does not help… We need to educate them, too, that it’s a journey. New risks will come along, and we will need to keep evolving our plans.”
You can learn more best practices on communicating about risk from Imran and Craig at their keynote session at the upcoming UK & Ireland CISO Executive Summit on 7 June. Qualified CISOs can join their peers for a day of networking, sharing and learning at the Royal Lancaster London.
Special thanks to Imran Ali, Craig Charlton and Compass Group.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.