Communication Skills for Security Professionals: Part I
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
Cybersecurity is, in the end, really about people. Getting them to understand what to do, encouraging them to do it, and following up to make sure it was done. As such, communication plays an extremely important role in the success of the security practitioner. A CISO must communicate with the entire corporation. Only the CEO has greater communication challenges. These challenges are also one of the fun parts of the job.
If you don’t believe in the critical nature of communications in information security, please read Graeme Payne’s book1 on the Equifax breach. In this book Payne documents how one missed email from the security team to him led to the breach of 146 million customer records. Security is inherently cross silo. Any functioning risk management program will be built around effective communications, both up down and horizontal. Both to gather risk information from the organization and to present risk mitigation plans to the organization’s leadership.
Most security professionals are not natural storytellers and communicators. I have met some gifted exceptions. If you are like me, you need a toolbox of communications techniques and regular reminders of how to use those tools. The other thing you will need is mindful practice.
Yet most academic cybersecurity programs and certificates do not provide guidance on how to communicate. The purpose of this blog series is to introduce you to concepts and tools that I have found valuable and that I think you will be able to use. There is no one magic formula for successful communication. That is why I have created a series on the topic; this is Part One.
I’m starting with a book I have used called Say It So They Listen, by Schatzie Brunner2. I got acquainted with Schatzie’s work while living in Nashville. She was a former CNN anchor when Ted Turner was running the company. Say what you want about TV anchors, they do get millions of us to listen. She described her communication techniques in her book, and I will summarize those here. By mastering these you will increase your effectiveness as a security manager.
Let’s look at the three principal parts of Schatzie’s system.
- Research your audience
- Clearly address goals and benefits for that audience
- Prove #2 with three points
Generally, speakers or writers will already consider “research your audience”. But this must go beyond just knowing who they are. You must understand in detail their needs and how your message is meeting those needs. Remember, everyone is tuned into WII-FM: What’s in it for me?
Example: you want support from your development team in order to implement new security testing software. Wrong approach: “This software will help ensure that our code is secure”. Better approach: “This software will reduce rework from bug fixes and make it easier to focus on production goals”.
Goals and benefits for the “listener” are easy to forget. If you forget you can use a formal “Target Statement” of the type: “By (your goal) you will (their benefit)”. I used this above; my goal is to have students master communication skills, in order to more effectively use the materials in our MS Cybersecurity program. You don’t have to use this formulaic structure in your communications, but it is a good starting point. The “Target Statement” is the introduction to the rest of your communication, in which you must prove your case.
Example: communication with the CEO. “By implementing a strong awareness training campaign, Acme will reduce time and money spent on breach cleanup”.
Proving should be limited to three points. This is the “rule of three”. With two your audience will think something is missing; with four or more they start to get overwhelmed. If you really have more than three points, you can attach them in an appendix. I used this above, describing the three main points of Say It So They Listen. There are more points in the book. Do you get bogged down in detail; or conversely forget to include enough supporting information to back up your ask? Time to focus on the “rule of three”.
Example: By implementing two-factor authentication we can reduce the risk of security breaches
- Most breaches occur via account take over or stolen credentials
- Studies show that users are still relying on weak passwords
- Security standards bodies are universally recommending MFA
There are many more tools in the communications toolbox. Such as storytelling, using visuals, preparation, body language and so on. I will address these topics and more in upcoming posts.
Quinnipiac University’s online MS in Cybersecurity program is led by industry-experienced faculty dedicated to teaching emerging leaders in the security field. Learn more about how the MS in Cybersecurity degree can give you the necessary skills to pursue a career as a proficient cybersecurity professional.