Purposeful Language
One of the biggest barriers for cyber professionals when explaining the threat landscape, the controls that are required to mitigate those threats and the technologies solution that needed to be invested in to implement the controls is the use of technical lingo to non-technical decision makers. This is not a problem that is confined to the cyber professional community, but occurs across all professions and specific contexts. How well you can explain the cyber terminology and its intended purpose will go a long way to how strongly the buy in you may have from those outside the field to the outcomes you are trying to achieve. This is where language can be a significant differentiator, especially the use of descriptive terms that non-cyber people will have a natural affinity to, and can easily be related to if it builds an internal mental/visual response.?
?
It is likely due to the concept of defending against cyber-attacks, that our profession has made use of language borrowed from the military domain. With terms such as DMZ (De-Militarise Zone), packet capture (i.e. why capture and not storage or recording), and intrusion detection/prevention. However, it is interesting that when it came to language used to describe cyber impacts to the general population, we landed on health terminology of software viruses and the need to quarantine them.?
?
If we wish to be successful in conveying the importance of a cyber risk to non-business decision makers to support either a policy change that will create business inconvenience, or require investment funding, then we need to be more purposeful in the language we use in our conversations. Below are some recent uses of descriptive terms that I have come across to help build support of a cyber concept to the non-cyber population.?
?
The one I have been referencing regularly is actually reflected back onto other cyber professionals, or risk managers. I have been using it to try show that large organisations need to be more purposeful in the way they undertake their supply chain cyber assurance requirements, especially with smaller businesses. It is very often, even though a large organisation has decided its more cost effective to use an external supplier to deliver a capability, they expect those suppliers to meet their organisations risk appetite when it comes to cyber risk management. If you have chosen to use a supplier and outsource a capability, then part of that decision would be its not cost effective to internally create that capability under your risk appetite. So why would you expect a 3rd party to deliver the capability, at your risk acceptance level, at a more cost-effective price? Yet, many organisations are happy to send out cyber assurance questionnaires that are hundreds of questions in length. With the power differential between large organisations and small suppliers (i.e. smaller organisations may feel they have no choice but to overspend meeting a prospects needs and putting their business model in danger), I like to use the term Organisational Bullying to describe the situation. I have found as soon as you use the term bullying, it will evoke enough of an emotive response, that people will stop and consider the impact of their assurance needs. The intent is not to dismiss the importance of supplier cyber assurance, but to be more purposeful in how its applied.?
?
领英推荐
Another great use of language in a specific industry context I first heard from Mackenzie M. who is a CISO in the Insurance industry. This descriptive language use works well in that industry and by extension the Financial Industry to better convey the problem of systems and laptops that are obsolete or running obsolete unsupported software. Mackenzie has said he has been successful in referring to these obsolete systems to the business as Toxic Assets. Given the normal use of toxic assets in the broader financial industry, and what the business will understand it means, they will automatically apply the same mental model to system or software that is obsolete.?
?
Continuing on the topic of obsolete systems, how do you refer to those systems that are considered to be obsolete, yet from a business perspective are still very functional, may not have a viable replacement option, and may have had specific controls implemented to mitigate operational and cyber based risks of them being in the production network? While some may bunch these types of systems into the generic term of Legacy systems, I recently heard a better description of this specific category. That term was Heritage Systems. When thinking of heritage sustainment in the general sense, you know it is not as easy to maintain, repair and make heritage buildings or environments so that they continue to be safe, and still functional to their everyday use. This naturally then creates a mental model that’s easy to explain why it can be so costly to maintain these Heritage Systems, as there are less skill “artisans” that understand how to maintain the system, and replacement components are not available and may need to be custom made.?
?
The last example I want to share was referred to by Sean Duca during his interview with Karissa A. Breen (KB) on espisode 180 of the KBCast podcast. The context of the conversation was around the issue of the massive amounts of personal information that organisations have collected over time, not for a specific reason, just because “it may be useful, or valuable in the future”. However, given the massive data breaches we have seen, especially the those that exposed customers private information, the risk of maintaining that consumer private information data store for no valid functional purpose has become an untenable organisation risk. If you live in an environment that is at risk of bush or forest fires, then this use of language you will appreciate. Around the twenty-eight minute mark of the conversation (for those who just want to better understand this specific context), Sean raised the point that we undertake backburning as a risk reduction step to reduce “fuel” that can be consumed in an uncontrolled bush or forest fire. Sean then raises the question, isn’t it time that we start to undertake Data Backburning in our organisation to reduce the privacy risk in the event of the unthinkable.??
MD @ Continuum Cyber Board Member of CyAN and Cyber evangelist for SMB’s
1 年Cyber dissonance is one of my favorites. Good piece Ben Doyle. The jargon we often use can marginalise people, I think it’s a real skill to reduce risk to a normal conversation as in many situations non technical people are the key stakeholders in the overall decision making process.
Security+ Network+
1 年I like "chihuahua with a pork chop" which wonderfully describes (among many other things) career changers like me who have taken that big tasty bite and won't let go of the process of learning, investigating, seeking and searching. The acronyms get a bit much and the name changes -- according to CompTIA, ?DMZ?(De-Militarised Zone) is now a screened subnet. But language evolves, is a basic function of human development and the basis of how we accomplish most of our goals at, and away from, work. Part of the process of learning, for me at least, is finding out what things mean, their functions and real-world examples. When I go beyond reading and memorising, and dive into some newly discovered term and its relationship to new ideas, I gain useful insight into what that term represents and the relationships -- a DMZ, for example -- has to what I do, have done and hope to do in the future. I enjoyed your article. Thank you.
CISO | Passionate, pragmatic and business focused Cyber Security and Technology Risk Leader | MIT MBA GAICD
1 年Thank you for the credit Ben Doyle. I’d add that I really like the data backburning term from Sean Duca. Following your example of third parties - we assess their security practices and then the risk each party might present to our own organisation. But - and here’s the kicker - ‘good drivers still have accidents’. That assessment won’t prevent the third party incident, but it will indicate which are less likely to have an incident, and those that are more likely to manage any incident well. Credit on that one goes to Simon B.
Investigative Security Journalist & Reporter | Podcaster & Commentator | Host & Producer | MC & Presenter | LinkedIn Top Voice Awarded in 22'
1 年Great piece! Thanks for refencing the show Ben Doyle ????
Senior DevOps engineer at Thales Australia
1 年I have used the word "Ben Doyle" to better convey the purpose of Cyber security need within our business ??