Five Tips For Getting Across Your Security Message

Use Definitions for Everything

Security is a complex discipline. That is why we all make the big bucks. When you present any information, whether through a PowerPoint presentation or within a report, you must ensure that any ambiguous or confusing terms are defined for your audience. And security has a number of ambiguous and confusing terms.  The first step in effective communication is to establish a common, relatable baseline for the conversation. This is important for two reasons. First, it will aid in educating your audience on the subject; a topic or issue which they may not have been exposed to prior to the presentation of the material. Second, many concepts that we use in security are nebulous and hold different meanings to different people based upon their perceptions or experiences. A good example is the term “security” itself. What it means to you may be very different than what it means to me, or more importantly, to your audience.

Dry-run with Non-security Folks

We have found over the years that if a security neophyte does not understand what you are saying, than you should redesign and simplify it. This can be extremely challenging for many in our field, either due to the complexity of the subject or due to their own egos. In many cases, it is beneficial to apply the information in layers instead of attempting to relay all of the content in one application.  This incremental approach has worked like magic for us over the years. We believe this is the approach for two reasons.

First, it prevents you from going “security nerd” in your messages and using terms like “defense in depth” and other fun buzz phrases that really turn most audiences off. Second, it ensures that you are articulate and thoughtful with the information that you are presenting. When preparing for a security conference, we always run our presentations by our wives first (not security experts by a long shot), even if we are speaking to an advanced security crowd of our peers. We have never once had someone tell us our concepts are simplistic or rudimentary. In fact, our speaking reviews generally illustrate that are points are direct, clear, and concise.

Know Your Audience

In order to effectively craft any message, you must first understand the type of audience that will be receiving your message. We know this is not rocket science, but we still see many security professionals that forget this fundamental step. For example, we once witnessed a security officer who presented the logs from their Intrusion Detection System to the Board of Directors (True Story). We now know what it looks like when eight people are contemplating shoving a pen in their eye merely to escape a room….it was that bad.

Most importantly, you must be aware when your material will be viewed simultaneously by multiple audience types; for example the Board and a Network Engineer. In these situations, it is advisable to provide different communications for each audience if it is possible. If this is not possible, than organize and divide the communication audience type. This will allow them to skim over the portion which they find the least useful and allow you to deliver the message that is desired for each group.  Think of it as delivering two separate presentations or reports in one package.

Limit Vendors from Presenting Your Message

We know we are always beating up on security vendors. Unfortunately, we are not going to stop here. Security vendors are often used to deliver a message for a security organization on a wide range of topics. This tactic is generally used as a means to quell some type of political situation in which the vendor is inserted as an unbiased third party. The down-side to this approach is two-fold. First, security vendors often bring with them their own nomenclature which is unique to their product line.  This can be confusing for both you and your audience. Second, these folks often do not possess an in-depth knowledge of your environment and the culture of your organization. As a result, they may miss many of the nuances that are only apparent to someone that has a better overall understanding of your specific organization. Both of these issues can have lingering effects that can haunt your security efforts long after the vendor is gone. In our experience, we often see the effects from this confusion outweigh the political gains that are afforded by having them speak for you in the first place. Be wary of using vendors to communicate your messages.

Make Your Communications Clean and Error Free

You can’t put the bullet back in the gun after you pull the trigger. First impressions are everything. If you go on a first date, you have a better chance of impressing if you are clean and presentable than if you are a mess. Same thing goes for your communications. Any time that you present something, make sure that it looks sharp. Just as important, make sure that it is free of any grammatical, spelling, or formatting errors. You don’t want those items to be the focus of the conversation.  We were actually in a meeting where the CIO lectured twenty of his managers on the merits of a 10 point Arial font versus 12 point Arial for half an hour…no joke. That is an extreme case, but the moral of the story is that the message failed to be delivered.

As you can see, these items have a tremendous impact on your success. First, they have the potential to relay the most undesirable message that you do not have an attention for detail. Second, they often take the focus of your audience away from your content and instead waste it on something like a misspelled word. Executive Management loves to find these types of errors because it gives them something upon which to comment when they may otherwise have just been silent. This situation is most likely to occur when they have a limited knowledge of the subject; such as in the case of security.

Conclusion