Security for the Ages: Make it Memorable
Those of us That Spend our Lives in Security Sometimes Forget How our Field Looks and Sounds to Others
Recently, on way to work, I heard the song “Mr. Jones” for the first time in years. For my younger readers, this Counting Crows song was quite popular when I was in High School. I found hearing this song again after so many years fascinating. Why? Because I still knew every word of the song.
Whether or not you are a fan of the song, you are likely asking yourself what this could possibly have to do with security. That’s certainly a fair question. To understand the connection here, we need to ask ourselves why I still remember the words to this song after all these years.
In my opinion, the answer to that question lies in the fact that the song was fun for me. For whatever reason, it found favor in my eyes. I internalized it. I heard a lot of songs in the 1980s and the 1990s. But the number of songs from that period whose lyrics I still remember is relatively small.
We can learn a lesson from this in security. Those of us that spend our lives in security sometimes forget how our field looks and sounds to others. When presenting or discussing our work, it’s important to focus on how that message is received and internalized by the people on the other side of the conversation. Let’s take a look at ten situations in which we can leverage this powerful lesson.
1. Conferences: I’ve sat through a fair number of conference talks in my life. Some have been better than others. Know your audience and stay focused on what will resonate with them and/or help them understand what you’ve been working hard on and the value it provides to the greater security community. The best talks are those that people still remember after a year or two has gone by.
2. Board: In previous roles, I’ve had a few opportunities to present at board meetings. What I took away from these encounters is the extremely high level at which the board thinks about risk. It’s incredibly strategic and miles away from tactical. Something to keep in mind when formulating your board presentation. Your job is to get the board’s attention and cause them to focus on what’s important, not to overwhelm them with details.
3. Executives: While perhaps not as high level as the board, executives are still pretty high level. Tactical mumbo jumbo will put them into a trance. Best to tune your message to the audience and ensure it will resonate and stay with them. For example, if you need to make the case for additional budget, try doing so in the language of mitigating risk to the business and return on investment.
4. Team: Your team needs to have a good idea of where you’re going and what you expect from them. The message needs to articulate that clearly in terms that are meaningful to the broader team. You want the message to stay with them and for them to be thinking about the organization’s priorities when approaching different tasks each day.
5. Stakeholders: In order for any security organization to be effective, it needs to work collaboratively with the business. The way the business thinks about risk, however, will be different than the way the security team does. And, of course, the business’ primary focus is on, well, the business and the revenue it brings. The savvy security team will take care to communicate in terms that the business can relate to.
6. Customers: Your customers likely want to understand that you take their data and privacy seriously. But have you thought about how you can best communicate that in order to allow them to internalize it? It might be a different message than you would normally go with. Focus on how you protect what matters most to your customers – likely their sensitive, proprietary, and confidential data.
7. Peers: We all benefit from peer interactions. People who understand what our day-to-day professional life is like, the challenges we face, and who run in our circles. We can bounce ideas off of them, brainstorm together, and share information. With our peers, it is better to give than to receive. Those who are generous with ideas, time, and and information will be first of mind when a peer has something to pay forward.
8. Clients: If you are a security consultant, how do you sell your or your firm’s services to potential clients? Do you talk about all of the skills and capabilities you have? Or, do you talk about how you can address the problems and challenges that the client may have in the language of the client? I will leave it to you to decide which approach is generally more effective.
9. Insurance: Cyber insurance is becoming a hot topic. While the field is still in its infancy, insurance companies are beginning to take an interest in how they can more appropriately assess risk. As you might guess, the insurance industry looks at assessing and quantifying risk a bit differently than we might be familiar with as security professionals. Keep that in mind when communicating to them how you minimize, mitigate, and manage risk. Make sure to tailor the message to the audience.
10. Vendors: As an enterprise, you likely understand that your supply chain can introduce risk into your overall information security posture. Assessing, measuring, and tracking this risk over time is an important part of managing third party risk. It’s important to communicate your security priorities clearly to ensure that your vendors understand what keeps you up at night and how they can address your security concerns.
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.