Tell your story using messaging that will level-set awareness on what security’s role is and how it brings value to the business. Use whatever format works best in your culture.
As for how you effectively tell your story and what should it include, we've found that successful security leaders use a strategic story catalog or master to choose briefing material from that fits the audience and culture. Some of the major components include:
Once you have your master story created, you need to think about who you need to communicate this to. We’ve identified up to eight audiences you likely should tell your story to (see below); each audience will receive a part of your story that is relevant to them. You will find that some of your messaging will overlap between audiences.
A few examples of audience specific messaging follow.
As the new security person, having a simple elevator speech in your back pocket that quickly explains what security does and what it can do for the business is an effective communication tool to have readily available. This may be used for a variety of audiences you come across during your day-to-day activities.
Some of your first meeting stops will be to the executive management team and your new boss. For those meetings we suggest a concise program overview. An example of a "story" may be one of a transformation; that is - no formal program existed 3 months ago; here’s Security’s current role; and recent accomplishments and future opportunities (e.g., program elements, plans and objectives) identified. For this audience focus on how the program adds value to the organization (e.g., protects assets: people, processes, brand and information). This may be built upon to include activities and operational excellence using data to support your story. It may also include elements such as emerging and futuristic trends that will affect the company and security. The messaging may take 45 minutes to deliver in whole; however, it’s best to be prepared with one or two of the most important messages you want to convey up front in one or two charts, in the event you’re only given a short meeting time.
For the general employee population the communication may simply cover your role and include department mission and vision statements, functional organization chart and summary detail of the programs and services you are responsible for executing.
It is critical that you the security leader, your boss and the entire security team are telling the same concise, cohesive "brand story" to the different levels of audiences and internal company stakeholders. The goal is consistent messages that are delivered through multiple channels over long periods of time.
Answer provided by Liz Lancaster, Director of Tier 1 Leader Services & Projects, Security Executive Council.