Listening to the political conventions these past two weeks, I couldn’t help but think about security: the conversations security practitioners have with senior management and other business units, the conversations practitioners have amongst themselves, and yes, even talks given at conferences.
You see, neither of the two nominees running for president in the upcoming election are particularly good public speakers, and with whichever party you are aligned and whomever you choose (or not) to support, there has been and will be a lot of speech-making. The candidates are fervently trying to make the case for why he or she is the best choice, and they do this through various forms of communication—speech, words, body language. The candidates’ communication styles couldn’t be more different; one shouts at his listeners, never wavering in confidence or bravado. The other has an almost monotone delivery, the passion she speaks about feeling barely coming through. Neither style is terribly effective, which is why many voters are left feeling like they have to choose between the best of the worst.
In the case of the U.S. election, a choice will be made. One of the candidates will become our 45th President. With security, on the other hand, companies don’t guarantee funding or support, even given the current threat landscape and onslaught of breaches. Yes, corporate decision makers are waking up to the importance of information security, but it’s still going to take a lot of convincing to help non-security professionals understand what’s at stake and how our companies and lives can become more secure. And yet the conversations happening behind closed doors and at public conferences aren’t reaching the level of efficacy required for the situation.
Jive talking’, you wear a disguise
For several years the industry has been talking about how security needs to speak the language of the business. Just this week, in fact, I saw an article whose headline proclaimed that security practitioners are going to be fired if they don’t speak the language of the business. Fired—for not communicating in a certain way. I don’t necessarily agree with that notion, however we have been talking about talking about security for a long time.
Information security, by its very nature, is adversarial, and by default, many practitioners have adopted that tone when talking to others about the practice. Too many conversations still start with, “if you don’t…,” or, “we’re losing,” or, “nothing is impenetrable.” While they might be true, these words are confrontational, immediately putting the listener ill at ease. A lot of passion is prevalent in the industry, too. Unfortunately, unbridled passion doesn’t always translate well; the voice raises in pitch and volume, making the listener feel like he or she is being assaulted. Fight or flight kicks in, and now you’ve either got an audience that has tuned out or one that feels it must counter your claims. Neither situation is ideal if the goal is to attract support for the security program.
So, too, must practitioners beware of overusing the clichéd phrases learned from self-help books. “I hear what you’re saying, but...” or, “I understand your concerns and…” are instant code for, “I’m about to disagree with or tell you you are wrong,” and most everyone knows it.
Jive talkin’, so misunderstood
What is missing from so much communication today is real compassion—not passion, security folks have plenty of that to go around! Security conversations need to be relatable; much of what security does is foreign to business professionals. It doesn’t help to talk in bits or bytes, and it also doesn’t help to assume the non-security person can’t or won’t understand. The industry needs to learn how to use words and tone to help others relate to what’s happening or needed. Instead of saying, “You wouldn’t understand,” or, “the technical details don’t matter to you,” create a story using a common analogy. It looks trite on paper, but bringing something complex to a relatable level is one of the best ways to earn respect and support for ideas.
Another trial in choosing words and tone wisely when a significant topic is addressed happens when a non-security practitioner challenges how or if the security function is succeeding. Security does, in fact, succeed when nothing happens, so from a non-security standpoint—all other job functions are measured on what happens, not what doesn’t—it’s reasonable to wonder where the effort and money are going. In these situations, it’s hard to remain calm and measured. The key, though, is to consider the other person’s point of view: what efforts have taken place and for what was the money used? Looking at the question from the other person’s point of view takes combativeness out of the equation and helps you explain how something can be working if there’s nothing tangible to show. Security professionals are comfortable with the idea that a non-event equals success, but others are not. It’s like talking about ghosts or the afterlife; some people automatically believe while others demand proof. Security teams can’t take it as a challenge when someone asks to be shown how a program or project is progressing. The industry needs to improve communication around successes, even when the success is, “We don’t have any malware on our system today! Nothing further to report!”
Finally, security practitioners need to let their vulnerabilities show. Yes, “vulnerability” is a dirty word in security. It means a problem exists and it must be eradicated ASAP. In terms of communication, though, the best communicators are the ones who demonstrate vulnerability, humility, and the desire to learn (which means they can’t always be right). No one is right all the time, and no one can’t learn something from another’s perspective. Security needs more innovative thinking, and sometimes the best way to start thinking innovatively is to consider a completely different idea, opinion, or angle. The craziest idea might spark thinking that leads to a new tool or process that helps security immensely. Security practitioners are too quick to rule out ideas that don’t directly tie to security, and very little that’s groundbreaking has been developed in the last several years by the industry. (We’ve seen some pretty awesome innovations outside of security, however.)
Jive talkin’, you’re really no good
Vulnerability and openness will invite others into conversations, making conversations less contentious and more effective. Speaking to an audience with a level of respect and relatability will create an environment where others want to help rather than challenge or pick apart. Removing an overabundance of passion will allow others to see your point of view without having to bob and weave around harsh words or a negative tone.
Changing communication styles is not easy, In fact, it may be one of the hardest things to do because, to so many, it feels inauthentic. Editing the way you speak, however, doesn’t mean giving up your core values. In fact, you might find that more deliberate and well-planned communication better reflects your thoughts and feelings. How many times have you come out of a bad conversation and thought, “I should have said ‘X’”? It’s that kind of critical thinking that needs to go into communication planning that will help alleviate the need for excessive hindsight and help you get your message across effectively the first time around.