Topic: Communication for internal teams on the importance of understanding risk
If all communication was abolished, society would crumble. Fast. Yet one area that I have noticed in the security industry which I believe needs a lot of attention – and often goes unmentioned – is how we communicate internally to our teams on the importance of understanding risk in the face of change.
Through my work, I’ve lately had a huge volume of conversations with IT security leaders across the globe, and the same discussion points keep appearing. Namely, that as an industry, we are driven by technology and the security that underpins that technology, but one area that seems to be almost entirely neglected is how we communicate technology changes and the subsequent right workflows within our businesses. It’s this gap that has really provided the genesis moment for shadow IT as employees duct-tape their workflows together in the face of limited appreciation of the technology, let alone the security aspects inherently attached.
I want to be able to provide some advice on how I believe security teams can be more effective at communicating why other areas of the business need to pay attention to security functions, and the risks that could occur if they wilfully ignore them.
1 . Understanding That We are Dealing With Humans, Not Machines
Seems obvious, but yet I still see a very ‘non-human’ approach to trying to get teams to engage with security training or process changes, and ultimately then, to understand the risk. Emotional intelligence plays a huge role in this, and an area that seems to be acutely lacking – unsurprisingly – within this highly technical field. While certain personality types do gravitate towards technology professions, I’d suggest that it’s probably because it is not taught in any university course or when studying for the overwhelming security-related certificates. We can’t unfortunately ‘configure’ humans to operate and respond in a way that always makes cold logical sense – we’re all lizard-brained strange beasts that have learned to sit as desks. This is why we need to understand the ‘collective of individuals’ on a deeper level, and study human behaviour as datapoints for the industry to start to get buy-in from outside of the tech fields that are constantly exposed (at least peripherally) to security practices.
2. Ignorance =/= Stupidity
I’m sure you’ve seen people online and IRL experiences calling people without a background in the technology field “stupid” because they failed at the latest phishing simulation. We aren’t in the 1950’s, so cracking the whip and being accusatory towards other staff members gets you nowhere – particularly with younger generations. Condescending behaviour like this illustration must be stamped out – because as an industry, we are losing our message of why security is so important by operating like the authoritarian guys from ‘Mad Men’. Security communication needs to be effectively steered by the right leader. One that empowers people and makes arrangements to close the gap of those who are failing their security training and not shaming them. Gradual changes the wrong way are born from passive aggression – as a soft rebellion – are much more common than most executives would like to think!
3. Painting Everyone with the Same Brush And Hoping they “Get It”
What’s important to Susan in Accounting is not the same as what is important to Carole in HR. Understand your audience segmentation, don’t just broadcast the same communications to everyone and hope they will just “get it”. No one cares about your agenda because they see it as “not their job”. It’s your job as a security professional to make them care. If they don’t? It’s on you. To motivate them to care you need to understand what they care about in their individual roles (and in their department) and then reverse engineer that. Sending out the same pedestrian comms to everyone is being lazy – logically segment your audience. You will first need to identify your discrete audiences, and understand what is critical to each in their day-to-day job, and then work on your comms to align your approach to messaging. This hyper targeted method does require more initial planning and work – Susan isn’t going to necessarily care about what’s important to Carole (Carole is a terrible, unrelatable person too), but if she reads comms coming from a security department that is super relevant to her, she is much more likely to respond with favourable security behaviour.
4. Continuously Pilling on Band-aids to Problems and Hoping Each Sticks
If the shoe doesn’t fit – stop forcing it. I see this next scenario time and time again. Despite the universally acknowledged issues, people just succumb to the position that they “have always done it like this”. How’s that going for your Doug? Not great? Again? /sarcasm.
The approach on getting employees to understand security risks within your organisation needs to be continuously adjusted and at just the right cadence. I like to anoint it a Kaizen process – one of continuous, gradual improvement – because risks within organisations change as the business evolves. Rather than rolling out a new shiny box, sometimes an examination of the fundamentals is much wiser than an LED-fuelled silver bullet. A stagnant approach to the communications that are distributed within your organisation will mean your collective engagement towards security messaging will drop – you haven’t managed to stay relevant to your organisations’ departments.
5. A Hybrid Role; Blending Technology and Business Communications
Every department wants a seat at the big table – but security is a must for representation. The consequences in a digital age where every business is a tech business are just too critical.
I believe the primary reason why security has yet to be at the big table in many organisations is because of the immaturity in the representation of security to the whole-of-business; including at the executive level. This likely stems from the industry in its current incarnation still being quite new – something almost seems foregin to have this incorporated at the top of an organisation. The security professional needs to understand their audience – what does Simon the CFO need to hear and comprehend in order to allocate funds to the security department? Simon does not care about how many threats were blocked, but in fact needs to be shown the possible risks to the organisation and an associated figure if there were to be a problem in clear and concise terms in his language – not some poor, lazy attempt at the creation of a ‘lingua franca’ – a one-size-fits all message for the entire organisation.
In summary, the fundamental point is that messaging, that undeniable central tenet of good security posture, needs to be effective. And messaging can only be as effective as it is relevant. By taking the time to build a framework that helps you connect with each department, indeed with each employee, you can save time on the back-end through (largely) self-governed staff, instead of fighting the immutable ‘war of attrition’ that is modern security for too many organisations.