“I told you this would happen!” The board room goes silent as the executive team contemplates the events unfolding before them. There has been a serious data breach and the situation is escalating. Everybody is tense. The security team’s warnings about server vulnerabilities were ignored…why?
The middle of a serious security breach is not the time to discover that management ignores you. Unfortunately, it is often a serious incident that uncovers this problem (as well as precipitating it.) The question arises then, how do you get management to listen to security teams, when all they seem to care about is budgets, strategic initiatives, and meetings? The answer to this challenge lies in understanding why people pay attention to anything.
The problem is not that executives do not listen. They listen and read selectively. They pick an chose the issues and topics that seem to have the most relevance to them. If you want management to listen to you, you must communicate in a manner that makes your message interesting.
Boil it all down to basics, and there are two elements to being understood:
- Having information your audience wants to hear or understand
- Communicating that information in a way your audience can understand
There is not much to discuss for item #1. You either have useful information or not. For security, that means having a message you need to deliver to the management. With all the security tools and capabilities out there, there are plenty of messages to deliver. So, we can cast that aside for now.
It is #2 on that list that gives security practitioners the most trouble. Having been a writer and a business leader for nearly two decades, I have learned (the hard way) that how you say something is equally (if not more) important than what you say. If you want a message to get through, you need to deliver it in a package that the recipient will open.
This is especially true for information security, which is a discipline of complexity. Simple answers in security are rare. Most security issues have a billion shades of gray, all of which look the same to a person (like management) who lacks the acuity to understand those shades. Moreover, security people are often victims of their own tunnel vision, seeing everything through the eyes of security, unable to understand why people do not see it the same way they do.
Fortunately, there are plenty of communication strategies that, when used properly, can be very effective at communicating security concepts to even the most dismissive managers. Most of these strategies apply to written communications, however they can be applicable to spoken language as well. Furthermore, many of these are time-honored practices of rhetoric that have been around for a long time.
We will start this journey with the first advice I ever got as a writer from my sophomore English teacher, which was a nod to Beaverton, Oregon’s most well-known company.
Just Say It
If you want people to hear you, then come right out and say what you mean, honestly and directly. If the network is insecure, do not talk around the issue with euphemisms and bureaucratic posturing. Say “our network is very insecure and needs work.” The quicker you can get to the point, the more likely people will hear you.
However, do not confuse being direct with being a jerk. There are ways to be direct that are respectful and honest without being rude or mean. The simplest way to do this is to avoid making things personal. In other words, avoid using the pronoun “you.” Rather, use the plural first person pronoun – we (or us, our, or ourselves).
Bad: Upon review of our infrastructure systems, the team detected misalignment of our security controls with established policy. This misalignment with our stated rules is a violation of organizational policy. Our policies were created to ensure the organization met compliance requirements and security best practices. When we consider the issues, there might be cause for concern. The software on our systems does not meet the policy requirements. To help align the systems…blah blah blah you should already be asleep if you read all the way to this point.
Good: Our servers are misconfigured. That caused the breach. We need to patch all servers immediately. We also must implement a better patching protocol.
One caveat to this advice is to consider cultural factors. Some cultures do not like directness. For example, people with a Japanese or Indian background may take offense and dismiss overly direct communication. This is a reflection of their cultural values. Directness is considered rude, while indirectness is considered respectful. As such, if you work in a culturally diverse environment, dish out direct talk carefully. People from North America and Europe are generally more comfortable with direct talk, but not always. In lieu of directness, you might try a related strategy of simplification.
Simplify the Message
Complex language is difficult to understand. Simple sentences, using simple words, are more likely to be understood. This applies to both written and spoken language. Adding more detail may seem like you are “covering your bases.” However, it often accomplishes the exact opposite and makes people nitpick the message (if they are not ignoring it entirely.)
The easiest way to simplify is to use simple sentences with simple subject-verb-object construction. Avoid complex clauses and dependences. Simple sentences communicate efficiently. Also, keep the adjectives and adverbs to a minimum.
Bad: The firewall policies are incomplete with respect to the requirements of PCI 1.2, which states that organizations must restrict inbound and outbound traffic by location, and we must improve the rules if the company intends to maintain compliance which is required per our payment processor.
Good: Our firewall rules are incomplete. They do not meet PCI compliance requirements. These requirements mandate inbound and outbound traffic is controlled. We must clean up these rules to ensure compliance.
Another way to simplify is to use short sentences and more of them. If you make the previous sentence’s object the subject of the next sentence, they naturally connect. In second sentence of the example above, “requirements” is the object. It becomes the subject in the following sentence. This connects the thought, and is much easier to follow.
Never use the word “by” in any written document. I mean never. “By” almost always indicates passive voice. Passive voice reads awkwardly and communicates worse. Some people believe that passive voice sounds official and proper. Unfortunately, it does not communicate well.
Scan every document you ever write for “by.” Rewrite the sentence to avoid using it. Typically, that means flipping the sentence around, placing the object as the subject and vice-versa.
Bad: The new patch management system will be opposed by the database administrators because it does not provide coverage for the latest version of SQL Server.
Good: The database administrators oppose the new patch management system because it does not support the latest version of SQL Server.
The Time is Now
When explaining a complex idea, state everything in the present. Sorting out the past from the future is more difficult to read and comprehend. State issues and problems “as if there are right now.”
Bad: The database system was out of date and our vendor does not know if they will issue updates. We will need to perform an upgrade to the system because the old version had a lot of vulnerabilities.
Good: The database manufacturer does not support our current system. We must upgrade it. The version we use has numerous security vulnerabilities.
Not only is the first version clearer, it does not mix time frames. Use of “was” suggests the system was bad, but is okay now. Also, “we will” is a weak expression. It treats the upgrade as some future, optional event. Use of “must” in the first sentences is a clear, present-tense directive.
Present-tense statements are also an imperative. Future tense will sound optional. Past tense sounded like it was all said and done. (Notice those sentences used the tense they were describing.) Past and future tenses are only good when you need to put an event in its respective time period. If there is no compelling reason to establish a time frame, then state everything as if it happening right now.
Logos, Ethos, Pathos
If you want to persuade people to your point of view, you need to appeal to their whole being. We can thank the ancient Greeks for discovering how to do this through the Modes of Persuasion: logos, ethos, and pathos. The Modes of Persuasion are extremely powerful. Used evenly and correctly, you can convince even the most stubborn critics. However, persuasive communication takes practice to master. The best way to get started is to make sure you have statements that cover all three modes. With practice, you can start learning how to integrate each mode into a cohesive whole.
Logos / Logic
The weakest of the three modes, but the most reliable. Logic appeals to intelligent people who prefer sound, rational explanations. However, where logic can clarify a point, it does not have the potency of other modes. Logical arguments sound stiff and formal, which may alienate some readers.
Logical statements are a connected chain of reasonable statements, that lead to a valid conclusion. Consider the following:
“The protection of patient data is an organizational responsibility. Encryption technologies will protect data. The investment in data protection is modest when one considers the cost of a breach or theft of data. Therefore, it follows that we have a responsibility to employ methods of protection that protect patient data. This new encryption technology will protect patient data at a reasonable price, and is therefore a worthy investment.”
Notice how one rational statement follows the next and then another. They are all chained together and eventually lead to a conclusion: buy the software. Nevertheless, the writing is dull. Logic lacks passion or depth, and therefore can come off sounding cold and calculative. Thus, logic has the most validity, but the least potency.
Ethos / Ethics
Most people have an innate sense of right and wrong. In the security industry, ethics can be a very powerful persuasive force. Ethical arguments appeal to some external authority, such as the law, management, governments, or deities. They can also appeal to a universal sense of what is right, good, or proper. Consider the following:
“Protecting our patients’ data is more that the legal thing to do, it is the right thing to do. Our company mission statement clearly states our duty to the community and our patients.”
It is difficult to disagree with that statement. That is why it works. It appeals to not only the readers sense of right and wrong, but also to the authority of the organizational mission statement.
It is not, however, impossible to disagree with those statements. If your audience does respect the source authority they will also reject the argument. Moreover, ethical statements can beckon nitpickers who want to open up a meta-argument and start questioning your assumptions.
Ethical statements have some of rationality of logical arguments mixed with feelings of loyalty and allegiance to authority. Therefore, they make a good bridge to your final appeal, emotions.
Pathos / Emotions
Emotional persuasion is extremely powerful and equally dangerous. Properly used, emotional statements can motivate people to do just about anything. Emotions work at the deepest parts of our mind. This is why human anecdotes about survival, adversity, or caring are so potent. They affect us at a profound level.
However, there is an ugly flipside to these statements, they are unpredictable. An emotional statement can just as easily convince people to support or oppose you. Consider the following:
“Caring for people is who we are. Consider Bobby Smith, who struggled with the devastating effects of leukemia. Fragile and weak from treatment, Bobby looks to all of us to protect and care for him. And when he walks out of our hospital, alive, strong, and ready to play catch with his Dad, we owe it to him to protect not only his body, but his data.”
Are the tears welling up in your eyes? We need encryption to save Little Bobby’s life! It is all true and honest stuff, but it is very emotional. While your CIO fights back the tears signing that purchase order for Little Bobby’s encryption, he also might feel cheated. Emotions are not predictable. Perhaps your CIO has a son dying of cancer. Your appeal seems garish and rude to him. Now your attempt to get a new encryption system has backfired and you are out of a job.
Emotional statements must be supremely sensitive to your audience. That means you must know your audience well and craft statements that evoke the emotions you want. As a general rule, it is always better to evoke positive emotions (love, caring, happiness, optimism, etc.) than negative ones (hate, anger, jealousy, etc.) Security is an emotion. People have an innate sense of feeling secure. However, security is also closely related to fear and hope. Both equally powerful emotions that are also equally unpredictable.
A little fear, mixed with a lot of hope can evoke a strong secure feeling. But keep the fear to a minimum. Overuse of fear words will create a “boy who cried wolf” situation and your audience will reject it.
When you structure your communication, take the time to use all three modes of persuasion. Logical arguments should come first, then transition to ethical ones, and finish them off with an emotional narrative. Which is a good segue to the next communication strategy.
Create a Narrative
Stories have power. They create a space where people are receptive to ideas. This is why books and movies are such potent tools of persuasion. If you can package your communication in a story, you are more likely to be heard.
Narratives do not need to be complex. Consider the narrative used at the beginning of this article. In the first sentence I dropped you into the middle of a board room with a security person saying “I told you so.” Most security practitioners can relate to that scenario. That narrative opened up this article and “softened you up” to accepting what I was going to say.
Remember the story of the Trojan Horse? Narratives are Trojans of communication. They are persuasion disguised as a friendly tale. Some of the most venerated leaders in history used stories as a method to be heard. Abraham Lincoln was renowned for having a tale or anecdote to relate just about any situation. This made people listen to him and also made them more amenable to his point of view.
Why? That tiny word is exceptionally powerful. Why are we doing this? Why do we need this? Why is this not working? Asking simple why, how and what questions of people may not communicate an idea, but it can lead them to one.
The best way to convince people is to make them think they came up with the idea on their own. It is kind of like that movie Inception, where they put thoughts into people heads. When you ask questions, you plant ideas that can grow inside the audience.
However, you do not just ask any question. The questions need to direct the audience toward your point of view. For example, if you know the server administrators are not encrypting confidential data, asking them why the data is not encrypted gets them talking about the issue. They might say it will cause performance problems. The next question should be, “have you tested this?” Continue digging into the issue, and you may find that your server administrator convinces himself that the data must be encrypted, and you merely led him to that conclusion.
If asking questions and using narratives opens people up, attitude closes them up. Unfortunately, attitude is an occupational hazard of the information security industry.
The security industry has a terrible addiction to attitude and indignation. Venerated security gurus love to get on stage and shake their fists at the sky and decry all those stupid people who just do not get it. This conditions the audience members to believe that attitude is how accomplished security people get things done. As such, they take this attitude back to their workplace, and it promptly alienates everybody around them. This confuses the security people and creates resentment. They cannot figure out why people ignore them, when they are just doing what the rock stars do. Ultimately, this creates an unhealthy environment and bad security.
What gets lost in all the attitude is respect for the differing levels of experience among non-security people. It is not the accounting department’s fault that they send out confidential data if they do not have the experience and training to know that is a bad thing to do. Yelling at them and treating them like idiots will just make them hate you. Moreover, writing policies, emails, or reports that are filled with attitude and condescension will make the readers ignore the content regardless of the message.
Security practitioners must shepherd the wise and weak through the valley of hackers and malware. If you want people to hear your message and follow your lead, you must respect each of their strengths and weaknesses. Which leads to the last, and perhaps most important, aspect of being heard.
Deliver Vision and Reassurance
If you set aside the whole Maslow’s Hierarchy of Needs, people ultimately want two fundamental things from security teams: a path to something better and the feeling that they can get there.
People will listen when you can show them a path and reassure them they can walk the path. To motivate people down the path of better security, you must simultaneously explain 1) why the path is so important, 2)what is down the path, 3) and that it can be done. If you do not believe you can protect your organization, then nobody else will.
However, do not fall into the trap of complaining about a lack of resources or support. If you expect to be handed everything you need, then you are in for a depressing and unsatisfying experience as a security person. It does not matter if you are in a tiny company, or a gigantic global enterprise, nobody has the resources or support they want or need.
Rather than focus on what you do not have, focus on what you do have. One resource you have in abundance is the ability to communicate. It costs nothing to talk or write. Good communication coupled with strong motivation can conquer any resource shortage. When you look back on history, all the great moments and innovations came from people and groups who had limited resources but an abundance of motivation and the ability to communicate ideas to other people.
Business leaders are not robots that just respond to data input. They are people with emotions, minds, and desires just like the rest of us. Aligning the security needs with business needs will ensure that business leaders take information security seriously.
That alignment process begins with management hearing the message. If you want management to hear the warnings and offer support, then packaging that communication in a format that leadership understands is equally as important as the message itself.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com