Can we talk?

When I initially wrote the #dfir class that I am currently teaching at Oklahoma State University, I reached out to many of my colleagues that lead DFIR practices around the world and asked them what skills they thought their teams were lacking and how academia should be preparing the next generation of responders to fill those skills gaps.?These were all seasoned leaders that have been in this space for as long or longer than I have (20 years), so they have seen a lot and have a good feel for which skills are present, and which are absent.

In the more than 25 conversations I had with these leaders from the US, Canada, Mexico, the UK, Switzerland, Australia, New Zealand, and South Korea, a common theme quickly emerged.?In conversation after conversation, it was apparent that they did not need team members with deeper technical knowledge, better scripting capabilities or a more expansive knowledge of forensic software platforms.?While these are necessary components for building a team, and all responders should have them (albeit to varying degrees), they are not what is currently missing nor what these leaders are clamoring for.?What they want…what they need…are responders with the ability to communicate.

While the respondents listed the ability to communicate clearly, verbally and in writing, as the skills most frequently missing from their teams,?they also conveyed their surprise that academic programs had by and large not previously picked up on this need as in their estimation, it is one of, if not the most, important skills a responder can have. ?That led me along a bit of different line of questioning because if this need was seemingly so obvious to industry leaders, why then has it gone unfilled??

According to Author and DFIR thought leader, Harlan Carvey, “Technical skills in cybersecurity, and in particular in DFIR, are pretty straightforward to assess, and there's a great deal of valuable technical training available. Regardless of how technically capable an analyst may be, if they are not able?to clearly and accurately communicate their progress or findings to the customer, the effectiveness of the service is going to be significantly diminished.”

The questions that beg asking are how we got here and what does that mean for the industry.?I think knowing how and why something happened is essential in making adjustments, so that understanding can be extracted and transformed into wisdom and past mistakes are not repeated.?If we want to do something different to get a different outcome then we need to understand what we want to do differently, why and what sort of changes we’re looking for.?Without this lens, you might as well get a chimpanzee to throw darts at a dartboard for all the good it will do you.?Change for the sake of change is never meaningful.

I think how this conundrum manifested was through a combination of placing too much value on technical acumen or hard skills, and too little value on communication, or soft skills (I genuinely despise those terms).?Even the terminology is biased, communicating that technical skills are harder (as in more difficult) and therefore superior to the easier, paltry communication skills.?The unintended consequence of this positioning is a focus by industry professionals at all levels to improve their technical skills through training and certifications while ignoring any professional development of communication skills.?How many classes have you seen on forensic report writing??How many certifications are there for Certified Cybersecurity Communications Experts??Zero, that’s how many.?But every responder, pentester, and security consultant will tell you that the thing that consumes the majority of their time is the report writing and client meetings.?So, why the disconnect??

It's little surprise Cybersecurity professionals generally have the reputation of being awkward and poor communicators.?The industry has been designed to reinforce the notion that one set of skills (hard) are superior to another (soft), when both are used in equal measure, and both are required for the job.?You can’t be the best responder that writes crummy reports.?This is why the reports that are being generated, particularly by responders, are difficult to understand, full of technical jargon and contain snippets of code, logs, that are meaningless to anyone but the author and his buddies.?The target audience is largely disregarded and almost marginalized.?Clearly, it’s their (the reader’s) responsibility to educate themselves so they can read the reports.?It is in no way incumbent on the writer explain things in easy-to-understand terms that the target audience can grasp.?</sarcasm>

All joking aside, the role of any author is to convey their thoughts in a way that the target audience can understand them.?It’s not to impress anyone with your grasp if technical terms, it’s not to cover your ineptitude with jargon and it’s not to make the reader feel somehow inferior.?It’s to get them to clearly understand what you have written, why you have written it, and what it means to them.

Dr. Kyung-Shick Choi, former Korean Police Officer and Professor of Practice at Boston University states in his book Digital Forensics & Cyber Investigation (Choi, K., Back, S., & Toro-Alvarez, M. M. (2022)), “While technical expertise is essential in cybersecurity incident management, it is not enough on its own. Without strong communication skills, the best technical solutions may go under- or miscommunicated, leading to suboptimal outcomes. Therefore, organizations must prioritize hiring firms and individuals with proven communication skills in addition to technical abilities.”

?Dr. Choi makes an important statement here that merits repeating, “…organizations must prioritize hiring firms and individuals with proven communication skills in addition to technical abilities.” This means organizations can provide the medicine to their own ailment by including these skills in the assessment process.?If you want responders that can communicate effectively on your team, ask for a writing sample as part of the interview process. Many software companies ask for a code sample from prospective developers.?This is no different.

Likewise, when you hire Cybersecurity consultants of any sort, ask about communication procedures, request a sample deliverable as well as the contact information of a referenceable client.?Ensure you are retaining providers that both have the technical acumen to do the job AND the communication skills to make sure you clearly understand what they did, why, and what the outcome was.?These providers should consistently deliver the best quality work AND highest quality reporting, not the biggest name or most popular brand.?

I also think that academia and professional training institutions like SANS and the EC-Council, should begin to incorporate report writing and client communications into their programs.?Continuing to graduate students and certification holders with deep technical skills with no, or a very limited ability to communicate what they are doing, why, and what the importance of their work is simply going to perpetuate the current, broken paradigm.?The ones that suffer the most are the customers that pay dearly for cybersecurity services and have no idea what the final work products mean and why they should care.

Finally, the belief that technical skills are somehow superior to communication skills need to changed.?While technical skills are absolutely necessary in this industry, so too is the ability to clearly and concisely communicate with a target audience, which will likely be non-technical.?Hiring managers should come to expect these capabilities, academic and educational institutions should begin teaching and certifying these skills, and customers should demand them from their providers.?This is one of the few challenges faced by Cybersecurity professionals that both understand and have the power to solve.?It's just a matter of execution.