Some questions are more prevalent than others these days and in your company I am sure you get some stream of questions from your business partners and colleagues. First is “Why is it so hard to keep the bad guys out?” This is a completely relevant and fair question but is not easy to describe in simple terms without pulling out at least some technical jargon. Another favorite is “How do these data breaches happen?” Again–without technical explanations–you are most likely faced with explaining how people break into a home or business physically. It might make the point but the person is no more educated on technological security challenges than when the conversation started. Next, questions are asked like “What is a vulnerability and why can we not fix them?” and “How did the security team not see what was happening?” At this point, the conversation is really going downhill fast if you are trying to avoid a confused questioner. Ultimately, the discussion arrives at the basic question “How can companies get better at cybersecurity?” At this point, explanations of defense in depth, event and packet analysis, and other components of a well-designed and effective security program, frequently leave the questioner confused and frustrated.
One simple tool to address the conversation is a hand-drawn picture. In a conference room, that pretty white board hanging on the wall with its clean, shining surface is beckoning you. Worst case, you whip out a piece of paper and pencil and go old school. Pictures can provide a bridge to those visually inclined, but also give any listener space to reason, think, analyze and ask questions. At that point, you have passed from ‘lecturing’ to ‘learning’ and lo and behold, the questioner actually understands more at the end of the conversation than the beginning. The trick is finding some simple ways to discuss these issues with your business counterparts—in clear business terms— to improve their understanding of cybersecurity and open up the communication channel to partner for solutions.
Steve Schlarman, CISM, CISSP
RSA, The Security Division of EMC
Steve will discuss this concept at ISACA’s North America Information Security and Risk Management (North America ISRM)Conference this November, in his presentation titled, “Intelligence Driven Security Whiteboards.”
[ISACA]
