This discussion focused on the “and More.” Participants deliberated about who to talk to and strategies for building alliances more than techniques for “talking.” We shared tips that can help us to succeed.
My biggest takeaways were that there’s more to “talking” with non-security professionals than the words we use or even how we say them. The practices we follow, the policies that we enforce, consequences we impose shout louder than any words we say. We do well to know our audiences and the impact of the messages that our actions convey. It helps to make allies, use carrots and sticks, and even play games – whatever it takes to get the salient points across.
Who are the non-security professionals we need to communicate with?
During the session participants mentioned audiences that are challenging to communicate with in their roles as security professionals: HR, C-Suite, internal users, public – for breach response. Much discussion time was spent on higher level management.
What topics are difficult to talk about?
The point of communicating is to mitigate security risks and consequences. We do this by delivering a clear company culture around security that emphasizes why the various audiences should care.
A major challenge is boards that are inherently more finance focused than tech savvy. Participants cited cases where the boards are retirees for whom technology is beyond their comfort zone. They are more likely to ask “What do you need from us?” rather than “What are the issues?” One participant said of his board, “They’ll give me a pat on the back on the elevator, but they don’t want to know the details.” – until there’s a breach. Then they want to know exactly what the security team is doing about it.
This led to a discussion about who owns security risk. Is it IT? Users? Management? Various opinions were shared.
Techniques for Addressing Challenges
- Give the board what they need. Provide them with a business impact analyses of security risks. They understand that. Present security as a competitive advantage. Make sure they know that consequences are more than the money to remediate – reputation might be more important for the survival of the organization. Don’t overwhelm them with technical details. Use laymen’s terms.
- Risk ownership is where company culture comes in. Engage with allies, such as HR. A useful metaphor was offered for this – it’s like advice from your mom vs. advice to your favorite uncle. Whom do you listen to? Security is mom; HR is your favorite uncle.
- Maintain a policy manual that includes clear statements, cheat sheets for tracking compliance, and real world examples and war stories. Include discussions of competitive management, employee liability, and incident response.
- Always enforce policies. For example, badges must be worn and visible. New employees tend to do this and then stop within a few days when they notice than nobody else does.
- Mid-level managers are key to successful security enforcement. Their behavior influences company culture. One thing that they can do is to include security in job descriptions.
- Employee compliance sign-offs don’t always work. Implement additional measures.
- Use carrots: performance bonuses for meeting security objectives, bonuses for identifying potential breaches, rewards to encourage asking questions.
- Use sticks: revoke security privileges of an employee who gets phished.
- Make compliance fun, not boring. Controls seem negative. Gamify it. One participant shared her “Gnome of Shame” game. They left a gnome on the desk of anyone who left their computer unlocked. Workers passed the gnome around from offender to the latest offender. This had the desired impact on the employees without having to be heavy-handed.
- Show videos during trainings.
- Prominently place dashboards and scorecards. For example, compare how different groups are doing or revenue streams. This is not a “risk” discussion; it stimulates competition between teams to be best.
- Plot interest vs. power to help define communication strategies for your various audiences
Topics for Further Conversation Though the Blog
There is much more to explore on the topic of talking with non-security professionals, especially in the realm of metaphors and stories to help deliver clearer messages. I hope this blog will continue to explore and share them. Let’s share some stories and metaphors.