So here you are, Security Professional, once again trying to convince a group of wayward engineers or webmasters that they need to take action to protect against a newly discovered security vulnerability. Maybe you need them to change a configuration setting, register a library or identify where they’ve stored some personal information. You sigh, fingers on the keyboard, ready to hit send on your broadcast email, knowing that few of them will bother to read it, and even fewer will take action.
You’ve been down this road before and you’re frustrated. Why don’t people care about security? Don’t they understand what’s at stake? What does it take for people to accept their responsibility to follow simple instructions to protect the business?
While it’s tempting to blame your audience for not recognizing your oh-so-clearly communicated instructions, it isn’t productive to do so. If you aren’t getting the results you want from your technical security communications, consider whether your team needs to address any of these seven deadly sins of security communications.
#1 You spam your audience
If people aren’t responding to your clearly communicated requests, consider whether you’ve been sending too much information to too many people too often. If you don’t want your communications to be discarded as spam, try to limit your communications to what people really need to know and act upon.
#2 You bury the lead
If the whole point of your communication is to tell someone to take action, then that action needs to be the first thing they see. Although it might be tempting to first give an overview of the importance of the new access management standards, the ones who need to make the change might not read that far. Lead with the action you want them to take, followed by supporting detail that they need to know.
#3 You don’t provide the instructions people need
Even a highly motivated audience will fail to take action if they don’t understand the steps to complete the tasks. Once people know what to do and why it is important, they need to know how to do it. Make sure you provide clear instructions with the right level of detail and provide a contact in case they get stuck.
#4 Your instructions don’t work
Your program will stall if your audience tries to follow your instructions but can’t make them work. Ask a colleague to pressure test your instructions to ensure that they work, and to help you identify any failure conditions or alternate paths you need to document.
#5 You exaggerate or don’t follow up
Your credibility will take a serious hit if you blast out a message about an urgent and critical issue and then go radio silent for weeks. Be sure you state the issue and the risk in straightforward and objective language, provide a clear deadline with reminders, and follow up until the issue is closed.
#6 You provide too much (or not enough) technical detail
As security professionals, you might be eager to talk about your team’s new processes for verifying compliance to mobile application verification standards, but not everyone needs to know the details. Find the right level of detail to describe the issue but keep the focus on the task at hand. Sometimes the background info will belong in your communication, but you might need to move the play-by-play to a follow-up link or reference site.
#7 You focus on a single communication channel
Sure, email is a convenient way for you to package and send your message, but is that enough? It’s better to use multiple channels, putting information right in front of people as they go about their daily business. Take advantage of the collaboration tools already in use, such as Slack, GitHub and Teams, and follow up with brief and timely reminders—preferably delivered only to those who need to be reminded.
There’s no way to guarantee that the technical professionals in your organizations will immediately take action on every security issue that you raise. But if you take care to avoid these seven deadly sins of security communications, you will increase the likelihood that people will read, understand and trust the information you provide. And your credibility and influence are critical tools in developing and maintaining the security of your organization.