The New CISO Ep. 77: Storytelling For CISOs – How to Make Your Message Resonate with Tom August
Podcast Transcript | Air Date October 20, 2022
Listen to Steve and Tom discuss how to captivate executives without fearmongering and navigating hard conversations with the broader organization:
Meet Tom (1:55)
Host Steve Moore introduces our guest today, Tom August. Over his decades-long career, Tom has worked across multiple industries, from healthcare to military defense to financial services.
A lifelong fan of electronics, cybersecurity became a life-changing move for Tom, despite having an initially unrelated start.
Tom’s Take (5:30)
Steve presses Tom on what it was like watching the famous John McAfee and his team work when Tom was an accounting intern.
Tom appreciated being brought onto their team, and was able to observe McAfee’s organized methodology when handling a security breach. As a wide-eyed college student, Tom was fascinated by everything he learned and wanted to do more.
The Move To Financial Services (9:07)
While building out the security program at a financial organization, Tom had the opportunity to be mentored by one of the original CISOs, Micki Krause. Recognizing that Micki is a trailblazer in the cybersecurity industry, Tom appreciates that he learned both technical skills and how to communicate with chief executives as a product of Micki’s mentorship.
After being challenged by Micki, Tom was encouraged to write security books, leading to the CISO Handbook.
The CISO Storyteller (15:50)
To Tom, every CISO needs to be a storyteller, though few have mastered that skill. Often CISOs will speak to executives using different buzzwords and acronyms, versus adequately explaining the problem they are trying to solve. To combat this, Tom urges listeners to work on their communication skills.
The IT Audit (17:07)
While working in a technical network security role at a Japan-based company, Tom led audits that uncovered hard truths about the organization. Tom had to present this research to international executives as a result — which culminated in a difficult situation.
Although Tom can’t share much information about this time, he acknowledges that specific cultural differences made it challenging to convey the problem at hand.
A Lever of Influence (27:55)
Due to his mentor relationship with Micki, Tom learned a simple but valuable risk-management methodology. Tom decided to take that further by meeting with executives individually to see what they cared about in terms of risk.
As a result, Tom could ensure that he could meet the needs of his organization. By the time he met with the board, there were no surprises about his security plans.
Improving Our Stories (36:50)
Steve presses Tom on why so many CISOs lack comprehensive storytelling skills, which Tom credits as their need to be correct. Recognizing that CISOs have good intentions, Tom also understands they can miss the bigger picture.
If you are a CISO, you should know why your problem is compelling, and if you can sell that, the “where, ” “when,” and funding will follow. A key tip is not to be confusing with your delivery — according to Tom, clarity is what keeps executives captivated.
Risk Vs. Compliance (44:46)
Due to his accounting background, Tom understands that auditors are well-intentioned but limited due to their checklists. Knowing that risk does not follow the rules, Tom explains that compliance is not always the most helpful approach.
Risks are difficult to quantify and require everyone involved to be on the same page about the next steps.
The Modern CISO (49:55)
To Tom, being a new CISO means you are a fantastic listener and business partner, as well as someone who understands both risk and compliance. Ultimately, you need to be a good storyteller who knows how to synthesize information and make your message resonate.
Links mentioned: