Spurred by Justine Aitel’s talk at SOURCE Boston where she supposedly (not being there is a bit hard to confirm that) said that IT risk and/or security industry need to use the term “cyber” in order to reach the business audience more effectively.
Yes, security has a problem communicating. No, it is not what you think it is. Yes, using “cyber” can help. No, it’s not what you think it is.
Communication - listen!
Infosec people love to talk. Incessantly when it’s about something near and dear to them, sky falling or their latest gadget or … you get the idea. They also love to talk about listening, and how we’re not doing it right. And don’t interrupt us while we’re telling you how we need to listen more and talk less. :-) Yes, the secret to good communication is listening.
In corporate world that translates into knowing and understanding:
1. The industry you are in. Both locally and globally. Profoundly know local industry, keep tab on what leaders globally are doing, see how it translates to your local environment. How?
- Read the industry magazines. There are plenty of online resources, papers, etc. Keep a cursory track.
- Join a couple of industry bodies. There’s always one or two forums.
- Ask in your company, but always be ready to also look outside.
2. What your organisation’s goals are. Not the stated ones, the real ones. The ones your organisation needs to take in order to make whatever it is they promised to the markets a reality. How?
- Talk to people at the coalface, so to speak. Project/program managers, architects, developers, marketing and advertising, finance.
- Establish good relationship early on with a few people in different areas. Look for people that you get along well personally, regardless of the perception of their position. Organisations leak bits of information everywhere - your role is to pull it all together for yourself.
3. What the department heads, the chief executives and others in the position of power need in order to meet their Key Performance Indicators. Sometimes this will be stated quite bluntly, other times you will need to put a lot of disparate data together in order to see the bigger picture. How?
- Establish initial rapport, just offer to see if you can help people with anything.
- Make a presentation of what you/your team are doing. Show how it is relevant to your audience. To get something you have to offer something.
- Simply ask. Ask how you can help.
4. The type of conversations to avoid: Purely negative conversations that don’t offer “and this is how we can fix it” suggestions are a drain. Steer clear.
People say this is easier said than done, but the fact is that you need to talk to people at all levels.
- It helps if you are naturally curious.
- It doesn’t help if you are naturally extroverted: in that case you will need to work on your listening skills.
- It doesn’t help if you are naturally shy: in that case ask someone you are at ease with to introduce you to those you want to talk, to break the ice.
- It doesn’t help if you are:
Cyber here, cyber there, pretty soon there’s cyber everywhere
No, talking about cyber as “the big bad thing that will end us all if we don’t …” is not going to help anyone. Your company already navigates more risks that most infosec people can imagine, and does so on a daily basis.
Talk about “cyber” and explain to the decision makers and anyone that will listen (that’s a good way to get time with the decision makers, too) about what cyber really is and how it relates to current affairs.
Hint and a useful trivia to break the ice: explain that the term “cyber security” came to be as a response to countries spearheaded by Russia and China that consider “information security” at the national level to include propaganda, control of information flow within the country, etc. After Russia started pushing for a UN resolution on “information security” that covered, in some interpretations, dissent as an information security problem, the West started using the term “cyber security” in national conversations to distance themselves from the Sino-Russian definition.
If you’re in Europe, use the example of Russia and Ukraine. If you’re in the US, use the before example, but also the espionage from China and how the cultural differences (serious problem) make the discussion harder (draw analogies between IT and the rest of the organisation?) because of differences in understanding of the terms. No commonly defined terminology = mucho confusion.
And in the end, it helps if you know just what cyber really is. Trust me on this, you don't want to propagate the half definition of this phenomena.