When communicating infosec, let the audience determine the message
From corporate boards focused on mitigating risk to workers who will open any email attachment, security leaders are charged with communicating the importance of information security to a spectrum of users. But attempting to discuss technical topics with people who struggle with Gmail may not produce the desired results. And a CEO may not need to know what firewall detection rules an analyst is writing.
There’s no single or right way to explain why information security matters, judging by the responses of security executives who talked about this topic with us in as part of the Cybereason CISO Interview Series. The important point, according to three executives we interviewed, is letting the audience determine the message.
We’re presenting each of their perspectives here in an effort to help security leaders better communicate with different users. One viewpoint emphasizes storytelling, another calls for using resources that are already available and the final one questions the value of trying to reach people who lack a technical background. Hopefully one of these methods will help you better connect with different users and improve your organization’s security.
For John Knights, whose career included serving as the information security officer at Wentworth Institute of Technology in Boston, conveying the value of security means telling a story with a message that’s tailored to the end user.
Knights’ story to students, who “don’t necessarily care that you are protecting the integrity of the institution’s data,” focused on what can happen when they leave their laptop unprotected.
“If that goes away, so does all their stuff,” he said, adding that he also reminded students that replacing a lost laptop could cost $2,000 dollars, a sum that’s substantial for a college student.
“With trustees, you add a few zeroes to it. It’s about we’re not going to get sued, we’re not going to ruin our reputation,” Knights said. Faculty want to protect their research, which could span decades, so he used IT examples, like the need to backup data, to convey security. For staff members who are aware that emailing spreadsheets with personally identifiable information could cost them their job, “it’s about staying out of trouble,” so for that audience Knights’ stories looked at security basics.
“People do want to do the right thing but security does mean you have to do a little extra work. And it’s our job as the IT folks to figure out a way to allow secure computing but also allow the business side to do what they need to do. It’s finding that balance and that’s the art to information security,” he said.
When educating non-technical people on security, remember that “Google is your friend,” said Jonathan Kamens, CISO of Boston financial tech startup Quantopian.
“For any aspect of security, somebody, and frequently many somebodies, have already done the work to create appropriate, accessible content,” he said.
Instead of cranking out a PowerPoint presentation on the 20 critical security controls, search the Internet for the non-technical explanations and diagrams that people have already created to explain the topic. “Go out, find what’s out there and use it. Don’t try to rewrite everything yourself,” he said.
At Quantopian, Kamens faces the opposite challenge: he has to keep extremely technically-oriented staff engaged when explaining the non-technical aspects of security. An engineer by trade, he understands that a 45-minute video with quizzes on how to identify phishing emails may not appeal to people who know how to program. To help them deal with this the exercise, he empathizes with them, appeals to their sense of company spirit and stresses that in the financial services industry, “there are going to be some things that we just have to do.”
Trying to explain DLL hijacking, malware obfuscation techniques or other technical concepts to people who don’t understand how computers work is a lost cause.
“There are some things that you can’t reduce to explainable terms that makes sense and still have value. It may make sense but it may not have value. Or it may have value but it may not make sense. It’s really hard to get some of these concepts across,” said former CIA CISO Robert Bigman. “I spent a lot of time trying to explain technical concepts and it occurred to that this wasn’t working well, either for me or them.”
Instead of conveying the technical aspects of security to business executives who many not grasp them, Bigman, who now runs a security consulting firm, tells CISOs to develop a relationship with them so they trust their decisions. When a security incident arises, business executives need to believe that the CISO is making the proper recommendation. In those cases, the technical details aren’t important for the business side to grasp. They’re more interested in when normal business operations will be restored and mitigating future risks.
“You really don’t have to know every function of your car before you drive it. That’s also kind of true in cyber security,” he said, adding that no other industry requires people to explain the most obscure aspects of their job to all members of a company.
For IT departments, though, Bigman recommends making sure that they know the CISO’s plan since they’re most likely executing the security policy’s technical parts.
The notion that the audience dictates the message makes sense when considering that security executives are ultimately protecting people. CISOs and CSOs need to reach them if they hope to keep their organizations safe.