SPEAKING SECURITY. THE LANGUAGE & COMMUNICATION

Posted on by Henrik Parkkinen

It is hard to pick ONLY one skill for security leaders (CISO, Information Security Officer, Cyber Security Risk Manager, etcetera) that I consider the most important.

Leadership, independent of whether it is related to security or not, is not about only one thing. A leader needs to be versatile. And I have mentioned this several times on my website, and do so once again: security is not about one single element.

Security is not only about processes, humans, or technologies in isolation. These things are, as I would call them, the core elements though. But at the same time, security is about much more that is found inside of each of these core elements.

And “Security”+”Leadership” is, therefore, a discipline that requires multi-disciplinary skills and will favor one who is versatile.

This article is primarily about one of the skills that we, as security leaders and professionals, need to master to become successful in our organizations. Communication –> speaking the language of security. I will explain why we need to speak a “certain language” and how we can get better at communicating with our audience.

THE CHALLENGE

One of the general challenges with security boils down to how we speak about the subject. How we communicate with our stakeholders, inside and outside our organization. If we can not speak so that our audience understands us we will, most definitely in one way or another, suffer to achieve our organization’s goals. We will sub-optimize the value creation from security in one way or another.

And we will have a harder time engaging our team. We will not be able to influence those that need to be influenced. We will not be able to reach out with our mission, to support our organization in the best way to become successful.

The challenge around how the language of security is spoken and communicated is also a result of that many standards, frameworks, and methodologies use their own taxonomies and explanations. One thing in a certain standard for example may be called something similar or something else in another standard. This also leads to general confusion among security experts and our audience.

A lack of a uniform language does not make things easier but there are ways around it, how we as security leaders can speak more effectively and communicate with our audience. Hang tight and continue reading.


THE SOLUTION

Hold on to your chair now! The language we need to speak with our stakeholders, who do not have technical security know-how, is not our own language. It is not that language we speak between ourselves as security experts.

We need to speak their language. We need to speak with our stakeholders in their own words. We need to look at security from their point of view.

We need to put security into the context of what it means for them, from a business and organizational point of view. This, i.e. the importance of communication skills, should not come as a surprise for you who are a security leader though.

If you consider yourself a master of this skill, you may stop reading here. If you want to learn more about it, I recommend you to carry on.

TEAM SPORT

Why do security leaders need to master the skills of communication? Security is, within almost any organization, a supporting function. This means that we, as the experts in the discipline, need to be able to explain (for example) “Why” security is important, “What” it means for the organization, and “How” we can and do support the organization.

Security is not a single-player campaign mode game where the CISO shall act as the ultimate Superhero, a.k.a Batman, in the IRL world to chase down all the bad guys and keep the organization (or like in Batman’s case: Gotham City) safe and protected. Security is a team sport.

So how can we as security leaders better take on things and form that team? How can we bridge the gaps and become a supporting function that our organization feels is there to help them to achieve their goals?

I would say that it is not just enough if we can speak the language of the business unit we support. And when I say “speak the language” I do not mean that we, as security leaders should be able to speak with the finance department in their own technical terms. What I mean is that we need to be able to understand them.

What are the challenges, the business stakeholders, face on a daily basis? What are the most important assets they manage in their business process? What does security mean for them? How do they experience security in the organization in its current form?

We need to understand how the business unit we support contributes to the organization. We need to understand their “Why”. What is their mission for supporting the organization to achieve its goals?

We as security experts need to team up with the organization that we support. And being a team player is also a skill. And if you, as security leaders have solid communication skills the establishment of teamwork becomes much easier.

Communication skills are essential for establishing trust, engagement, and influencing your stakeholders so that you together can accomplish the mission, vision, and objectives of your organization.

“I am fluent in over six million forms of communication, and can readily

C-3PO, Star Wars - Return of the Jedi

The CISO is not a Superhero. Security is a team sport.
A CISO is not a hybrid superhero with the security skills equivalent to Batman’s all gadgets and C3-PO’s ability to speak a sh*t ton of languages.

A CISO for example, he needs to be able to communicate security in the context of a wide audience within an organization. The CISO-dude (or woman) needs to be able to talk security in the language of HR, Compliance, Finance, Sales, Marketing, Operations, and <insert business unit here>. This is the super-hero-power that the CISO, and you as a security leader, need to have to become successful. To become that supporting function in your organization.

You as a security leader need to be the Batman dude with the skillz of C3PO, who can apply a different set of languages. I mean, security in the language of the business unit you speak with. You need to be able to speak the language and craft the stories, and visuals, around what security means for your specific audience. And when I say “speaking”, it does not mean that you as a security leader need to be a subject matter expert in the business unit’s processes and activities. You need to be able to communicate. Ask questions, listen, and understand. Communication is not only about speaking.

And, security is not an isolated IT discipline. Yes, you heard me right. I say it again, “Security is not an isolated IT discipline”. Security is about the business and the organization. Security exists to support and protect the organization. It is the organization that will suffer the most pain and negative impact from an actualized security incident, breach, or attack. If you feel lost in a conversation, default back to this part. Security is not about you and to make you look cool. it is the opposite. You are there to make others look cool = your organization to become successful.

COMMUNICATION

Everything I am talking about in this article comes down to communication skills. When I refer to “Communication”, in this article, it means how we as security professionals interact with our audience through the language of security. How we communicate with our audience to make sure they understand us and we understand them.

I would say that Communication is the most powerful method that is out there to be used to create an increased awareness and understanding of why security is essential for an organization and its individuals.

There is not one single truth for how communication in the realm of security shall be verbally or illustratively delivered. Every context and organization has its own culture, challenges, business mission, vision, objectives, risks, threats, requirements, and on and on.

I have several times experienced and still do, that there is a “glitch”, usually between those who have technical understanding and the business stakeholders in an organization, around why security is important.

Choose your words when speaking security as a language dependent on your audience

“The glitch” is (very often) a result of how the communication is taking place between these two parties. How the language is spoken. A technical language is needed but it will very rarely land in the best way and be understandable by those who do not possess technical know-how. Business leaders for example.

CVE’s, exploits, zero-days, TTPs, pass-the-hash, backdoors, mimikatz, metasploit, ATP, and that stuff have their place, but it is very rarely understood by for example a board, executive, and senior leaders in an organization. But among peers or persons in the organization who work with disciplines where these acronyms and terms are a part of the job, they make total sense. There these things are needed in our “security communication & language”.

And it is also the other way around. A person who is specialized in for example offensive security (penetration, vulnerability, and other forms of security testing) will generally have less knowledge and experience of topics such as business management or how to interpret financial KPIs or translate them into security initiatives, metrics, and so forth. There is nothing wrong with this. This is just how the world works.

“Henrik, you explained a very complicated and abstract subject through both an entertaining and simple way! It was a pleasure to listen to you. This was one of the best presentations I have participated at.”

<N N>, Head of Research and Development, Climate industry

“You always want to have something to comment, give feedback on or suggest to improve. But this security presentation, both the verbal story and vizual presentation, was flawless. Thank you Henrik!”

<N N>, Chief Information Officer, Global Retail Company

“If you ever think of changing career from the security industry, I recommend you to transition into lecturing at universities. You make things easy to understand and know how to engage with your audiance.“

<N N> Head of HR, Engineering Company

When I worked more on the technical side and did hands-on stuff, I had less business interaction and for that reason less understanding. But when I needed to interact with the business, I made sure to team up with those persons who knew things better. Those who could help me or teach me the stuff I did not know much about.

Learning how to communicate and speak the language of security so that your stakeholders understand you, as a security leader, is not something that is learned from a multiple-choice exam. It is not something that is learned from only reading this article. The solution for learning it is to:

communicate
with
your
stakeholders.

The best and most effective way, for learning how to communicate, is through “learn by doing”. And there are no shortcuts here. You can not cut the corners on this one. You can not substitute vocal communication by sending e-mails, chat messages, writing reports, and that stuff. You need to speak verbally with your audience. Think about how would you like your own leader to communicate with you if there were a subject you needed to have a conversation around? I do not think, and hope not, that e-mails or chat messages are your default answer to this one.

Learning how to communicate is practiced and learned by doing so. A textbook or me telling you this or that will not learn you the skills. I can, as I do in this article, coach and guide you on how to do it. But, if you want to become better at it, you need to get out there and do it. You need to verbally communicate with your stakeholders.

The second best way to learn the skill is by listening to how other successful security leaders communicate. You do not need to imitate how others do. And you do not need to only learn from security leaders. I think that all of us have people around us that we find have that powerful ability to engage an audience and tell good stories. Listen to these people and learn from what they do. What is it that they do that makes their communication good?

HOW TO

Below are a couple examples of powerful questions that I encourage you to try out next time when you interact with your stakeholders, i.e. business leaders, and executive leaders.

  • Can you explain to me how you support our organization? I want to learn from you how you do it and what you do so that I can, from a security perspective, better support you to achieve your goals.
    • What type of digital assets do you manage within your business process?
    • Who is, if you have appointed one, the asset owner of these assets?
    • What are the most critical assets within your business process?
    • What risks do you see, related to security, if actualized that would cause a negative impact on your business process?

  • How do you experience the way we in the security team, communicate with you and your team members.
    • Are we communicating with you and your team in a way that is understandable?
    • Is there any way how we can improve how we communicate with you?

  • Do you have any general feedback for us, so that we can improve our collaboration with you and your team?
    • Is there anything we can improve related to:
      • Quality
      • Delivery
      • Support
      • Communication

And make sure that each time you communicate with your audience, explain Why the thing you speak about is important or Why things need to be done in a certain way. Be mindful of what you communicate.

You present and communicate for your audience

Below are two examples of how security information can be communicated, in a good and less good way. This is just an example showcasing how things around the Why can be improved when a message is propagated.

Example #1

Good way: We have enabled multi-factor authentication to all of our applications and systems that are reachable from the internet. This change has been made to increase protection against cyber criminals attacking us and to protect our assets at <Organization Name> and you as an employee. Please read more about the change at the following link <URL>.

Bad way: We have enabled multi-factor authentication on all of our applications and systems because this is a requirement according to our information security policy.

Example #2

Good way: We as an organization have in our strategic plan for the coming 2-5 years to increase our growth. To achieve this goal, we will increase our mergers and acquisitions from x% to y% yearly. At the same time, we need to ensure we are making risk-aware decisions and investments both from a business and cyber/information/IT security perspective. As a joint effort, our business leaders and security professionals will establish a standard and intelligent process for managing our organic and digital growth to support our strategic objectives.

Bad way: We as an organization will increase or rate our mergers and acquisitions. It is important that we stay secure and risk-aware.

The questions and examples above are just that, examples. You can use them as a base or for inspiration to craft your own. The takeaway message here is to “ask questions” and to ask questions that help you, as a security leader, to better understand 1.) your audience’s business and 2.) how you as a security leader can help and support them to achieve their goals.

EPILOGUE

Security is a team sport and to help your organization to become successful, both from a technical and business perspective when it comes to security, the language and communication we use are key.

Always take extra consideration to ensure the message you are propagating and communicating is understood by those you have in your audience. Ask that extra question:

“Is there something in my message that was unclear or that you want me to elaborate on further for you?”.

I ask this question so many times (that I almost become tired of asking it) and very often I get to hear something like this in response:

“Yes, what do you mean with <insert questions>?” or “How does my contribution from a technical level translate to the business strategy?”.

Just because a message I send to my audience is clear for me does not in any way mean it is clear for them. I constantly remind myself to ask that question, it is such an easy way to gain a better understanding and also open up for dialogues, conversations, and contemplation around the subjects.

And the cost for asking that extra question is nothing in relation to the potential positive trajectories it may have for your audience and how the message will be received.

Listen actively to your audience

This form of communication goes both ways, from a business and technical security perspective. Things are not always as clear as they sound in our own heads. Or how clearly we try to communicate or visualize them. That is just how it is. And if you do not understand things, communicated to you from your stakeholders, ask or say that you do not understand. Yes, be that security leader who says “I do not understand, can you please explain to me what it means?”. There is nothing wrong with not understanding everything. No one does.

We just need to embrace this form of reality when it comes down to communication and work as a team to better understand each other. This is the way to create a team that understands, trusts, and works together to make the organization a safer place to be.

Helping each other to communicate in a way that is understandable and applicable when it comes to security makes a huge difference. Increased understanding, awareness, teamwork, inclusiveness, trust, and relationship building.

Make the language of security simple to understand. As said, it goes both ways. From a business and technical perspective.

Next time, try these simple things, when communicating with someone:

  • Ask questions when you are uncertain.
  • Listen with the intention to understand and not to respond.
  • Be mindful when you communicate.

It is a two-way street. Do it together. Build resilience. Contemplate. Help each other. Grow together. Lead each other. Communicate.

FOR YOUR INFORMATION

If you found this article interesting, you may also want to read my CISO series in three parts.


Henrik Parkkinen