Cyber attacks have been increasing for almost three decades. Meanwhile, security is an essential part of the critical path for major initiatives like cloud migration and the success of a growing remote workforce. While press and analysts have increased awareness on the part of executives, security teams still struggle to get the management support they need, and their stress and burnout rate is naturally increasing. Security leaders are starting to opt out of their roles, citing unreasonable expectations, lack of respect, and old-fashioned overwork.
There is a root cause to this disconnect—one that we find in dysfunctional relationships of all kinds: The lack of clear and consistent communication.
The following 5-step process will help. It’s based on 30 years of successfully helping people to understand the challenges of security and that those challenges can be met. It provides a model for successfully communicating with executive, management, and technical audiences, particularly those outside our own security community. Briefly:
- Step 1: Get their attention by establishing your authority.
- Step 2: Show that you understand their challenges by demonstrating empathy.
- Step 3: Clearly present your ideas on required capabilities, in terms that are at a technical level that meets your audience’s comfort level.
- Step 4: Reinforce your advice by establishing your own credibility through examples of past performance.
- Step 5: Finish by emphasizing your sense of urgency about security, about personal responsibility, and about partnership.
You can use this process for everything from 30-second conversations to full-blown presentations. The following sections give you recommendations for delivering on each of those five steps to help you get started.
Step 1: Establish Authority
Before you start offering security advice, you need to establish yourself as a knowledgeable voice on security topics. You need to demonstrate why people should listen to you in the first place.
Producing a list of your past accomplishments isn’t interesting or sufficient. Instead, offer anecdotes about situations you have resolved and refer to articles or insights you have published. Use these as natural, authentic, examples in your descriptions. The result is a clearer vision of your point and a sense that your ideas are based on experience, not on theory.
Communicate in a way that your audience can relate to. Avoid using high-level technical information or terminology that will likely confuse people less versed in security. Express yourself in language that your audience is familiar with because, when you help your listener to learn, it subconsciously confirms your authority.
Some ideas for topics that lend themselves to this type of discussion:
- Share information on newer cyber threats that you have seen impact other firms.
- Compare new attacks to older strains, describing common strategies that still have value.
- Share experiences where you learned hard lessons or dealt with challenging teams and cultures.
- Encourage them to increase their own authority by sharing your stories and proof points in their own advocacy for better security.
In security, remember that most people will not have an industry expert’s understanding of the topic. Security novices talk in terms of absolutes and catastrophes. Authorities recognize the importance of balance and reasonableness, and have stories of success where business need, financial restraint, and good security were achieved together. When you speak in a way that your audience understands, you’re effectively establishing yourself as the voice of authority for security. You capture the attention and confidence of your listeners, and you inspire the development of their authority as well.
Step 2: Be Empathetic
Security people, mainly because they start as technologists, usually shortcut security discussions into recommendations on security capabilities. This is the point where most communications breakdown. Before offering advice, you need to show that you understand the concerns and experiences of your audience: You need to demonstrate your empathy. Everyone worries about their security, everyone wants to know more, but everyone also believes that they are special and unique. You need to show that you understand how special and unique their security needs are, and that you’re considering those needs when formulating your advice.
Engaging empathy means sharing experiences you’ve had with people who have had similar challenges, or simply sharing your own struggles with security in general. You need to ask questions that allow them to illuminate their particular issues or philosophies, leading you to understand their pain, their frustration, or their confusion. Communicate (and believe) that their problems and shortcomings are understandable and likely common. In this way, they will internalize your desire to help them, and not simply to laugh, condemn, or preach.
Step 3: Capabilities
Once you’ve established authority and demonstrated empathy, you can get into a discussion about the security capabilities you see as important. Having taken time to learn about a company’s specific issues or security fears, the capabilities you discuss should address those with particular and obvious focus.
You are trying to help them define and recognize the help that they need. It may be that their personnel need more training, or they need to invest more heavily in disaster prevention. The gap may be in reporting, because the board doesn’t have an understanding of the reasoning behind the security strategy you’re proposing. All the while, when discussing capabilities, demonstrate that you have the ability to help them reach that goal.
When speaking of capabilities, be thorough and transparent: Completely address their issues and concerns, even when that means acknowledging your own gaps or unsuitability. Describe your approach or your technology at a level that provides value without resorting unnecessarily to technical jargon.
A successful capabilities presentation is purpose-built for one audience’s consumption. You don’t give the same presentation to everyone because, while the capabilities you’re going to describe may be exactly the same, the perceived value to this audience will be unique.
Step 4: Credibility
You’ve established your authority, you’ve demonstrated that you understand their pain, and you’ve discussed your capabilities and provided a selection of measures they should take. Now you want to establish credibility for those capabilities.
Help your audience to understand that you’ve taken companies through these measures before. You’ve seen other companies dealing with these concerns. Pick a meaningful yardstick with which to demonstrate your consistency and reliability. Demonstrate your ability to deliver a successful result based on past experience and based on the adoption of the capabilities you’ve just described. You can point out that you’ve been successfully engaging in this industry for years, or your company has an established track record with thousands of customers.
The desired result is that your audience sees your recommendations as tested and successful in other, similar, situations.
Step 5: Urgency
If you’ve gotten this far, your recommendations have been broadly accepted and you are clearly a well-informed resource for security. In most disciplines, you’d be done, but security is unlike almost any other area of technology, particularly in the gut of your audience.
Security impacts the viability and survival of companies and careers.
Your last step is convincing them of your sense of urgency. Show them you are committed to helping them be better protected. Let them know that you understand there is nothing more important than their clients’ privacy or protecting their proprietary information. Even if you are not able to solve all of these issues yourself, emotionally connecting to their sense of commitment through your expression of urgency will reinforce their belief that you are the advisor that they need.
Make your path forward clear, collaborative, and enjoyable.
To earn a strategic seat at the table, security leaders must develop or exercise communication skills that may be new. You need to learn how to speak persuasively about security with a wider audience beyond your technical peers.
With conflicting business pressures, even the most obvious security issues won’t always be priorities for the organization. Know that your audience may be uninformed, distrustful, conflicted, busy, or trying to balance a sea of similarly critical, but non-security, priorities.
So, before you open a discussion about security, review this simple 5-step process. When you use these steps consistently, you’ll develop the ability to identify the security goals of your listeners, and you’ll understand the relationships, justifications, budgets, and outcomes that they are driven by.
This ability to connect and communicate will make it easier for you to thrive and succeed, whatever your role or your audience.