1st Edition

The Security Leader’s Communication Playbook Bridging the Gap between Security and the Business

By Jeffrey W. Brown Copyright 2022
    394 Pages 29 B/W Illustrations
    by CRC Press

    This book is for cybersecurity leaders across all industries and organizations. It is intended to bridge the gap between the data center and the board room. This book examines the multitude of communication challenges that CISOs are faced with every day and provides practical tools to identify your audience, tailor your message and master the art of communicating. Poor communication is one of the top reasons that CISOs fail in their roles. By taking the step to work on your communication and soft skills (the two go hand-in-hand), you will hopefully never join their ranks. This is not a “communication theory” book. It provides just enough practical skills and techniques for security leaders to get the job done. Learn fundamental communication skills and how to apply them to day-to-day challenges like communicating with your peers, your team, business leaders and the board of directors. Learn how to produce meaningful metrics and communicate before, during and after an incident. Regardless of your role in Tech, you will find something of value somewhere along the way in this book.


    Preface xvii

    Acknowledgments xix

    Author xxi

    Introduction 1

    Part 1 Communication Foundational Skills 13

    1 Foundational Communication Skills 15

    2 People Skills 43

    3 The Language of Business Risk 59

    4 Company Culture 79

    5 Better Business Writing 93

    6 Say What? Verbal Communication Skills 119

    7 Communication Superpowers 157

    Part 2 Communication in the Real World 183

    8 Policies, Standards, Guidelines and Procedures 185

    9 T raining and Awareness 203

    10 Driving Change through Metrics 217

    11 The High Stakes of Incident Response Communication 235

    12 Communicating with Your Team and Colleagues 249

    13 Managing Up: Finding Your Boss’s Communication Style 269

    14 The Board of Directors 279

    15 Working with Auditors 295

    16 Your Next Job 305

    17 Consultants and Sales: Building and Maintaining Client Relationships 325

    Appendix 341

    Index 361


    Jeffrey Brown is a recognized information security and IT risk expert with a strong track record of more than two decades implementing cost-effective controls for global Fortune 500 financial institutions, including Citigroup, Goldman Sachs, GE Capital, BNY Mellon and AIG. He is currently serving as the first Chief Information Security Officer (CISO) for the State of Connecticut. Jeff is active in the information security industry as a frequent speaker at various events and conferences and is the author of multiple articles and publications. He co-Chairs the Evanta New York CISO Executive Summit and works in an advisory capacity with various events, including the Cyber Investing Summit. He is a board advisor and mentor for iQ4 in their Virtual Cybersecurity Apprenticeship Challenge, which aims to prepare some 10,000 students for the workforce and help address the security skills shortage. Jeff holds a B.A. in Journalism with an English minor and an M.S. in Publishing from Pace University. He holds multiple security certifications including CISSP-ISSMP, CISM and CRISC.

    Foreword for The Security Leader’s Communication Playbook by Jeffrey W. Brown

    The CISO role has evolved so rapidly in Fortune-class organizations -- from a siloed technologist to now a C-Suite leader who advises on the confluence of infosec, risk and business initiatives. Jeff Brown is among a small cohort of security leaders who have been at the forefront of this evolution.

    Jeff has led security teams in Fortune 500 financial services firms and now as the first CISO for the State of Connecticut. He’s brought that experience to this book and mixed it with his humanities training – he was a journalism major before he went into infosec – to offer an invaluable perspective on how CISOs must communicate to be effective.

    Communication isn’t a CISO ‘nice-to-have’ -- it’s now an essential skill. One meeting, they need to help a sales regional head understand and own risk around customer data collection processes. The next meeting, they’re briefing the board on the risk associated with a new acquisition and presenting a mitigation roadmap. CISOs must be influencers across levels of the business. Communications skills drive influential interactions.

    In this book, Jeff taps into his experience and skillset to provide clear, actionable guidance on the communication skills CISOs need to connect with the business. This hands-on guide doesn’t talk abstractly about how to communicate, but instead speaks directly to CISOs’ needs and is an essential part of any CISO’s library.

    "I remember having a conversation with a friend about my desire to become a security architect. He told me, "Be wary; the security realm is politically charged and full of less competent people. Everywhere he had worked had derogatory opinions on the security departments and architects." As I read this book, I couldn't help but wish that all security practitioners had access to this informative guide. Having worked in various security organizations, I have witnessed the success and failure of the security function. The common factor that distinguishes these scenarios is how well the security leadership and teams comprehend and align their work with the business objectives. This book is a valuable manual for every security practitioner who seeks to bring value to their organization. Personally, I will hold this book close to my heart as I progress in my career."


    -- John Kuforiji PMP