Cybersecurity Is a Communications Problem
Is cybersecurity a communication problem at its core? If communication is so critical in cybersecurity, why do we keep seeing so many failures??
Check out this post by Ross Haleliuk for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series , and Geoff Belknap . Joining us is James B. , CISO, Tampa General Hospital .
The goal is to connect to the business
If you only know how to speak in the language of cybersecurity you’re never going to connect to the business. "Drop the cybersecurity babble and speak in terms that resonate with the business leaders. For example, stop talking about threats, they don’t care about them. Help them understand that cybersecurity is an integral part of the business and can positively affect the bottom line," said Garry Kolb of Secureview360. For Erik Bloch , this can be a hard lesson to internalize, “Senior leaders need to talk the language of business. Experience is the only solution I’ve come up with. Fail enough times and you eventually figure it out."
The hard truth about soft skills
If there was ever a time when cybersecurity leaders could be solely focused on technical concerns, that era has passed. "Cybersecurity professionals have undoubtedly begun to recognize the limitation of a technical focus and started investing in ways to expand our communication skills - understanding that it's going to lead to both professional and broader business success. Labeling communication as a ‘soft’ skill has framed it as less important than its ‘hard’ counterparts, but that couldn't be further from the truth," said Yakir Golan of Kovrr . This problem exists on both sides of the business, as Frederick Carlson of the Bureau of Economic Analysis , U.S. Department of Commerce said, "You have a poor storyteller, with a constantly shifting story, talking to people who absolutely have every interest to keep this wicked problem bottled up and away from them at all costs. The good news is it will be fixed because it has to be."
Balancing risk
One of the hardest things for cybersecurity professionals to understand is where risk management falls in overall organizational priorities. If you can’t frame something to speak to that focus, you’ll never get through. "The majority of a business focuses on growth optimization and a small subset on risk mitigation. Those who focus on risk exclusively, often lack the language and perspective to map their views up into the larger business growth perspectives… Risk/security is simply a checkbox, a sucking black hole in the budget; and an officer to blame later," said Arian J Evans of 亚马逊 . Regulation may change the calculus of business priorities, as Ahmed A. of Digital Macro Strategy Corporation pointed out: "There’s now international recognition that it is businesses refusing to accept the cost of cyber security issues and that it is also recognized that the cyber security issues are well communicated and understood. That’s why we now have directors personally liable if they pretend in court not to understand cyber security."
Looking beyond communication
Ultimately, we’re not worried about communication. That’s a means to an end to get buy-in from the organization. "The problem isn't the ability to communicate, it's the ability to persuade. They are different: the first is about clarity. The second is about convincing others to take actions that may conflict with their self-interest. The best thing you can do to overcome the challenge is to find a common interest, and then agree on the problem," said Tom Schmitt of Anheuser-Busch InBev.
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast , please go ahead and subscribe now. Thanks to SeeMetrics .
Huge thanks to our sponsor, SeeMetrics
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts , Spotify , YouTube Music , Amazon Music , Pocket Casts , RSS , or just type "Defense in Depth" into your favorite podcast app.
Optimizing Security Operations with DirectDefense
Sponsored content
DirectDefense recently released a threat report, offering insights on managed services, threat hunting, and customer requirements. But intelligence only goes so far, organizations can best benefit from tailored alerts based on their needs, argues Jim Broome , president and CTO, DirectDefense. The key to this is building strong partnerships with clients through collaborative and customized security strategies, offering a blend of proactive and responsive measures.
Huge thanks to our sponsor, DirectDefense
领英推荐
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Jana M. , CISO, Belron? . Thanks Vanta .
Thanks to our Cyber Security Headlines?sponsor, Vanta
Join us NEXT Friday [08-02-24], for "Hackings CISOs"
Join us Friday, August 02, 2024, for?“Hackings CISOs: An hour of questions for our CISOs.”
Let us know what you want to ask our CISOs. Whether it's career questions, organizational issues, or technical considerations, our CISOs are game to answer.
It all begins at 1 PM ET/10 AM PT on Friday, August 02, 2024?with guests Steve Zalewski , co-host, Defense in Depth?(and former CISO For Levi Strauss) and William Harmer, CISSP, CISM, CIPP , operating partner and CISO, Craft Ventures .?We'll have fun conversations and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup on Discord.
Jump in on these conversations
"I will be the new security testing guy in my company. What to learn first?” (More here )
"Just me, or is every vendor's website awful. WHAT DO YOU ACTUALLY DO?"?(More here )
"Should I be learning Cybersecurity on my primary machine?" (More here )
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com .
Interested in sponsorship,?contact me,? David Spark .
CSO
3 个月Experientially this is true. Cyber has become a field where the ability to be a good story teller, speaking about business priorities and pursuasive messaging is crucial to success. I liked this qoute "The problem isn't the ability to communicate, it's the ability to persuade. They are different: the first is about clarity. The second is about convincing others to take actions that may conflict with their self-interest".
Happy to be a part of it!
Technology Success Expert at Clarity | Empowering SMB & Midmarket Businesses Through Technology
3 个月Great article David
Global Security Culture Expert | Security Evangelist | Behavioral Science Enthusiast
3 个月This is a great topic to cover and an area I'm very passionate about! Thanks for a quality output.
CISO - vCISO | Cybersecurity | CIO - Executive IT Leader | Digital Transformation | Speaker | Cyber Risk Management Strategist
3 个月Excellent article David Spark. One of the most important challenges for CISO’s is to teach digital distrust, and convince the C level about cybersecurity risks. Communication skills involve being able to transmit those concepts very emphatically and in a non tech language.