At Websense, for example, there isn't a communications person dedicated to security issues, however, internal security architects and members of the security operations team share the task of promoting policies, educating the user base on various threats or security topics and creating security-related content for newsletters and corporate training. While the multi-team approach gets the job done, Barton admits that messaging could be more effective if it came from a central resource with a single voice.
"Most of the people in our IT organization and in engineering and development know portions of our security policy, but they don't know all the policies across all the disciplines," he says. "There's a huge advantage in having someone with a dedicated IT hat on handling communications for the organization. You get consistency of message, more timely notifications and have a central point to handle the policies and interpretation of those policies."
Core Security's Cowperthwaite says the task of communicating about security-related issues falls primarily to himself and the CIO, which keeps messaging fairly consistent. While most employees at Core Security are familiar with security practices and lingo, Cowperthwaite says it's incumbent upon security leaders to make sure they're talking about issues and policies in such a way that has impact on the business.
"You can't just communicate what the policies are, you have to explain why the policies are that way and what the impact would be on the company if they aren't followed," Cowperthwaite explains. "You also have to be able to communicate the policies in such a way that you are working to gain agreement rather than being a dictator."
Another upside to having help from a communications professional is knowing the best way to get the message out so it has the optimal impact. In Cowperthwaite's previous role at the health care organization, the communications team turned security messaging into a multi-channel campaign that was supported by posters and other materials in common meeting areas--tactics he says, non-communications professionals like himself might never have thought of.
While that kind of expertise isn't as important to his role today in a security-focused firm, Cowperthwaite says he wouldn't think twice about enlisting dedicated communications help if he ever moved on to another organization. "If I was a CISCO at a non-security company and the role didn't exist, I would prioritize it very highly on my list of desired hires," he says.
Sign up for CIO Asia eNewsletters.