“I’m having a nervous breakdown”, howled Robert Plant in the 1969 Led Zeppelin hit ‘Communication Breakdown’. Plant may have been singing about a relationship, but the idea of an inability to make oneself understood will ring true for the many IT professionals who are reportedly struggling to communicate security issues to their business-minded bosses.
A focus on communication is becoming increasingly important as threats and solutions become more complex. Charles Bligh, who heads up TalkTalk’s security efforts, told CBR that after the theft from TalkTalk of the details of 156,959 customers the company had completely overhauled the language it used to discuss security.
“What I found during the event and subsequently afterwards was that there was a big education we needed to go through so we were all talking about the same thing,” said Bligh.
“A great example is board members asking if we are safe. As soon as you get that question you know you have not been through an education process. It’s not the right question.
He said that establishing a consistent language for discussing cyber security within the organisation had helped the company “unblock” the decision-making process.
The problem is not just that IT professionals are speaking a different language, but that they are sometimes afraid of even beginning the conversation.
51 percent of IT security professionals responding to a Palo Alto Networks survey found it difficult to highlight possible security system weaknesses for senior management, and apparently as many as a third felt that involving senior management made matters more difficult.
What is causing this communication breakdown? According to Bob Tarzey, Analyst and Director at Quocirca, there are two levels of IT jargon in the security industry.
The first, he says, is exaggeration.
“We talk about cyber-warfare,” says Tarzey, “when it is really everyday spying, and will therefore be robbed of the gravitas of the term “war”, that will be needed when real war turns up online.”
He says that the scale of data leaks is exaggerated even when the “actual volumes are quite bad enough.”
The other part is the “needless” technical jargon which Tarzey says is fine for internal discussions but does not translate well to the business world.
He suggests “advanced persistent threats” could be better described as “targeted attacks”.
“We talk about nation state actors, when we mean government-sponsored theft of intellectual property and so on.
“The industry seems determined to invent news terms, when existing language will do.”
This feeds through to consequences. According to Greg Day, VP & Chief Security Officer, EMEA, Palo Alto Networks, historically jargon and intimidating terms have often made businesses less engaged with cyber security, when the impact of cyber security was less broadly relevant to the business.
However, he says that this has changed that security heads are included in strategic business conversations.
Both sides are now trying to cross the divide.
“As more security leaders have understood the need to learn business skills and language, there has certainly been an increasing desire to find a common ground. Additionally, business leaders have increasingly recognised the impact cyber can have on businesses profitability so are keen to break through the jargon to make better informed decisions,” says Day.
For the IT security professionals, a new approach based on anchoring cyber security threats in practical problems could provide a way to communicate it to business executives.
For example, it has repeatedly been shown that passwords, if stored centrally can be stolen en masse from databases, as in the cases of Yahoo and LinkedIn. But basic fixes to this issue remain elusive.
Steve Manzuik, Director of Security Research at Duo Security’s ‘Duo Labs’, said: “We’ve seen all these high-profile breaches, yet we still see people reusing passwords, not using two-factor. People still ignore the best defence. It is difficult to get that communicated.”
But rather than a technological upgrade, two-factor authentication could be presented as a solution to the above problem.
“What makes a great IT professional is the ability to translate the conversation into
the right context for each audience they work with, whether that’s business execs, finance, legal, HR or others,” says Day from Palo Alto.
He says that the professionals must view being a “universal translator” as core to their role.
“This is not about the technicalities of what can, or is, happening, but how this impacts the business, whether that’s commercially, legally or otherwise.”
From the other direction, Day recommends engaging business leaders in exercises to move cyber security from the abstract to something more “visceral and real”.
Business leaders get hands-on insight into the potential scenarios and their impact on the business, and the consequential decisions that may have to be made.
In the long term, Day says this will help businesses understand the risks of cyber attacks and allow them to gauge investment decisions accordingly.
Bridging the cyber security communication gap will not solve all of your organisation’s security woes, but it is a crucial starting point for instilling security in the business’s strategy.