Topic: Communication for internal teams on the importance of understanding risk
If all communication was abolished, society would crumble. Fast. Yet one area that I have noticed in the security industry which I believe needs a lot of attention – and often goes unmentioned – is how we communicate internally to our teams on the importance of understanding risk in the face of change.
Through my work, Iโve lately had a huge volume of conversations with IT security leaders across the globe, and the same discussion points keep appearing. Namely, that as an industry, we are driven by technology and the security that underpins that technology, but one area that seems to be almost entirely neglected is how we communicate technology changes and the subsequent right workflows within our businesses. Itโs this gap that has really provided the genesis moment for shadow IT as employees duct-tape their workflows together in the face of limited appreciation of the technology, let alone the security aspects inherently attached.
I want to be able to provide some advice on how I believe security teams can be more effective at communicating why other areas of the business need to pay attention to security functions, and the risks that could occur if they wilfully ignore them.
1 . Understanding That We are Dealing With Humans, Not Machines
Seems obvious, but yet I still see a very โnon-humanโ approach to trying to get teams to engage with security training or process changes, and ultimately then, to understand the risk. Emotional intelligence plays a huge role in this, and an area that seems to be acutely lacking – unsurprisingly – within this highly technical field. While certain personality types do gravitate towards technology professions, Iโd suggest that itโs probably because it is not taught in any university course or when studying for the overwhelming security-related certificates. We canโt unfortunately โconfigureโ humans to operate and respond in a way that always makes cold logical sense – weโre all lizard-brained strange beasts that have learned to sit as desks. This is why we need to understand the โcollective of individualsโ on a deeper level, and study human behaviour as datapoints for the industry to start to get buy-in from outside of the tech fields that are constantly exposed (at least peripherally) to security practices.
2. Ignorance =/= Stupidity
Iโm sure youโve seen people online and IRL experiences calling people without a background in the technology field โstupidโ because they failed at the latest phishing simulation. We arenโt in the 1950โs, so cracking the whip and being accusatory towards other staff members gets you nowhere – particularly with younger generations. Condescending behaviour like this illustration must be stamped out – because as an industry, we are losing our message of why security is so important by operating like the authoritarian guys from โMad Menโ. Security communication needs to be effectively steered by the right leader. One that empowers people and makes arrangements to close the gap of those who are failing their security training and not shaming them. Gradual changes the wrong way are born from passive aggression – as a soft rebellion – are much more common than most executives would like to think!
3. Painting Everyone with the Same Brush And Hoping they โGet Itโ
Whatโs important to Susan in Accounting is not the same as what is important to Carole in HR. Understand your audience segmentation, donโt just broadcast the same communications to everyone and hope they will just โget itโ. No one cares about your agenda because they see it as โnot their jobโ. Itโs your job as a security professional to make them care. If they donโt? Itโs on you. To motivate them to care you need to understand what they care about in their individual roles (and in their department) and then reverse engineer that. Sending out the same pedestrian comms to everyone is being lazy – logically segment your audience. You will first need to identify your discrete audiences, and understand what is critical to each in their day-to-day job, and then work on your comms to align your approach to messaging. This hyper targeted method does require more initial planning and work – Susan isnโt going to necessarily care about whatโs important to Carole (Carole is a terrible, unrelatable person too), but if she reads comms coming from a security department that is super relevant to her, she is much more likely to respond with favourable security behaviour.
4. Continuously Pilling on Band-aids to Problems and Hoping Each Sticks
If the shoe doesnโt fit – stop forcing it. I see this next scenario time and time again. Despite the universally acknowledged issues, people just succumb to the position that they โhave always done it like thisโ. Howโs that going for your Doug? Not great? Again? /sarcasm.
The approach on getting employees to understand security risks within your organisation needs to be continuously adjusted and at just the right cadence. I like to anoint it a Kaizen process – one of continuous, gradual improvement – because risks within organisations change as the business evolves. Rather than rolling out a new shiny box, sometimes an examination of the fundamentals is much wiser than an LED-fuelled silver bullet. A stagnant approach to the communications that are distributed within your organisation will mean your collective engagement towards security messaging will drop – you havenโt managed to stay relevant to your organisationsโ departments.
5. A Hybrid Role; Blending Technology and Business Communications
Every department wants a seat at the big table – but security is a must for representation. The consequences in a digital age where every business is a tech business are just too critical.
I believe the primary reason why security has yet to be at the big table in many organisations is because of the immaturity in the representation of security to the whole-of-business; including at the executive level. This likely stems from the industry in its current incarnation still being quite new – something almost seems foregin to have this incorporated at the top of an organisation. The security professional needs to understand their audience – what does Simon the CFO need to hear and comprehend in order to allocate funds to the security department? Simon does not care about how many threats were blocked, but in fact needs to be shown the possible risks to the organisation and an associated figure if there were to be a problem in clear and concise terms in his language – not some poor, lazy attempt at the creation of a โlingua francaโ – a one-size-fits all message for the entire organisation.
TL;DR
In summary, the fundamental point is that messaging, that undeniable central tenet of good security posture, needs to be effective. And messaging can only be as effective as it is relevant. By taking the time to build a framework that helps you connect with each department, indeed with each employee, you can save time on the back-end through (largely) self-governed staff, instead of fighting the immutable โwar of attritionโ that is modern security for too many organisations.
