Why Is It So Hard to Explain Cybersecurity?

As someone who has been in the cybersecurity industry for many years, I have witnessed more confused, perplexed, dazed and otherwise confounded looks than I care to admit. Nearly all of them asked simple questions like “What do you do at your job?” or “How do you actually secure XYZ?” Recently, I have been hearing a lot of questions about security breaches including; “Why do I keep reading about these security breaches in the news?” When I start to explain the answer, the listeners quickly become disengaged and one of the looks I mentioned earlier soon appears on their faces. Cybersecurity should not be hard to explain but so often it is. As security practitioners, we are always ready for the analogy–pick your favorite–the castle, the bank vault, the battlefield, etc.–but it always seems to fall short of actually educating the audience.

Some questions are more prevalent than others these days and in your company I am sure you get some stream of questions from your business partners and colleagues. First is “Why is it so hard to keep the bad guys out?” This is a completely relevant and fair question but is not easy to describe in simple terms without pulling out at least some technical jargon. Another favorite is “How do these data breaches happen?” Again–without technical explanations–you are most likely faced with explaining how people break into a home or business physically. It might make the point but the person is no more educated on technological security challenges than when the conversation started. Next, questions are asked like “What is a vulnerability and why can we not fix them?” and “How did the security team not see what was happening?” At this point, the conversation is really going downhill fast if you are trying to avoid a confused questioner. Ultimately, the discussion arrives at the basic question “How can companies get better at cybersecurity?” At this point, explanations of defense in depth, event and packet analysis, and other components of a well-designed and effective security program, frequently leave the questioner confused and frustrated.

One simple tool to address the conversation is a hand-drawn picture. In a conference room, that pretty white board hanging on the wall with its clean, shining surface is beckoning you. Worst case, you whip out a piece of paper and pencil and go old school. Pictures can provide a bridge to those visually inclined, but also give any listener space to reason, think, analyze and ask questions. At that point, you have passed from ‘lecturing’ to ‘learning’ and lo and behold, the questioner actually understands more at the end of the conversation than the beginning. The trick is finding some simple ways to discuss these issues with your business counterparts—in clear business terms— to improve their understanding of cybersecurity and open up the communication channel to partner for solutions.

Steve Schlarman, CISM, CISSP
RSA, The Security Division of EMC

Steve will discuss this concept at ISACA’s North America Information Security and Risk Management (North America ISRM)Conference this November, in his presentation titled, “Intelligence Driven Security Whiteboards.”

[ISACA]