Communication Challenges in Cybersecurity

Written By Andrew Alaniz

I recently spoke to our local ISSA chapter in Birmingham on this topic. It’s a topic I’m quite passionate about. Early on in my career, a common piece of feedback I received was that I need to improve my communications. This came in various flavors including you’re too blunt, you’re too harsh, you’re too honest, and even you’re too confident. It took me years of hearing this, fretting over not getting it right, worrying every time I made a mistake, and ultimately having a little better understanding of what they were, ironically, trying to communicate.

Don’t get me wrong, I’ve received many feedback sessions that were extremely valuable, but there are always those that hurt a little, set a challenge, but give you little to go on to fix it. I was also blessed to have numerous leaders and mentors who worked with me on this, provided paid coaching and help for it, and gave real, candid feedback that helped me fine tune and hone this. I don’t get it right every time, stress usually defaults us all to our worst version of ourselves, but today I feel like I know enough to know a bit about what I don’t know and enough to offer advice to others. Here’s an attempt at sharing some of this with others.

Perception is Reality

There are a lot of influencers who talk about the perception of security. There is a lot of truth there, but there are also micro truths that apply to each organization. The business’ perception of your security team, your perception of the business, your perception of technology teams, your perception of vendors, your CISO’s peers’ perception of the CISO….these all directly impact how your communication challenges are going to manifest. They can exacerbate your short comings, they can give you a some reprieve, and they can determine who well you are setup for success or failure in your communications.

Here are a things I’ve learned in this space:

  • “When something feels easy or intuitive, we are more likely to believe it is true.” - Thinking Fast and Slow by David Kahneman

  • Speaking in the language of your listener builds trust

  • Approaching a conversation with trade-offs on your mind builds influence and influence speeds up action.

Common perceptions of security teams:

  • Seen as compliance enforcers

  • Self absorbed, tunnel vision, unaware

Common perceptions that security teams have of others:

  • Unable to understand

  • Too busy to care

  • Focused on the wrong things

The Power of Unconscious Bias

I was first introduced to this concept about 8 years ago, and it changed my life. There are some core biases that drive a lot of current social media trends and impacts, and ultimately, I think, are driving the demise of society. The book Thinking Fast and Slow by David Kahneman is also a really good piece of work. Essentially his book explains that our ‘fast thinking brain’ is heavily influenced by our upbringing, our genetics, and many sociological influences. This is the part of our brain that creates our default mental position on a topic or event or person. Then our slow thinking brain comes in. It requires more time and more effort in order to take advantage of, but it can be trained and honed to filter our fast thinking brain. Those that have not taken the time or put the effort into strengthening their slow thinking brain will often react with their core default biases outwardly.

So what are unconscious biases? Short of copying a google search result, they are biases within our subconscious that present themselves in our thoughts, reactions, and communications.

A few examples:

  • The curse (or burden) of knowledge - Essentially someone who has learned a topic well tends to forget what its like to not know something. This results in often taking for granted reactions, assumptions, and actions that are made and fails to teach, remind, or have empathy for someone who is knew to the space or does not work in the space. There is a good deal to learn here when training, teaching, mentoring, and parenting.

  • Negativity Bias - We (as humans) tend to give more weight to threats and fear than to balanced information. In other words, when presented with two items, the one that creates the most fear within you, will get more of your attention. This can be used as a sales tactic, as a parenting tactic, and as a leadership tactic. But it can also be abused or it can be overused. Overusing it, greatly hurts your credibility. But it’s also important to recognize it within ourselves as the receiver too.

  • Actor Observer Bias - one of my all time favorites - Essentially, we judge others as a result of their character and we judge ourselves as a result of outside factors. “He did that because he’s dumb, but I did the same thing because I was running late and rushed.” We should use this to stop and think about this for just about every thought we have about other people. We should also consider then when we are being judged.

  • Confirmation Bias - We tend to favor and look for information that supports what we already believe. This fuels so much of social media bias, and political emotions. We have a tendency to do this naturally, and social media exacerbates this by only showing you things that reinforce it.

There are many others, but I will introduce 3 more and explain what I call compounding biases. This is where the perception has a great impact to how people think and perceive their reality. The halo effect says that people interpret everything they hear based on their overall impression of that thing. So if they already have a negative perception of your team, then they’re going to see through that lense as they are communicated to. Now add to this that people have a tendency to have loss aversion (they’re more sensitive to losses than gains). Then further add to that the framing effect which says that the way something is framed has an impact on how choices appear. So, when you start stacking these biases on top of each other on how we communicate to others and how they hear what you say, there’s a lot of situations where what we say is a very small part of what is heard.

What Are Some Ways You Can Use This

As yourselves some of these questions:

  • Where does the business see the greatest pressure on profitability?

  • Which products or services drive the most revenue or strategic growth?

  • What is the impact to each team for each ‘vulnerability’ that is discovered

  • What feature/widget/service has the biggest potential impact on revenue this year if it is not implemented?

If these are not questions you can readily answer, finding them, can go a long way in improving your relationship and perception from other teams. Get to know your ‘customers',’ learn what their drivers are, don’t surprise anyone, and “anticipate the 2nd and 3rd questions.” This last piece is one of my isms that I tell my teams. When you are responsible for a topic and explaining it, presenting it, or defending it - you should always anticipate 2-3 questions deep from your audience and have them at your fingertips.

Don’t Take Yourself Too Seriously

This goes a long way in communication. Second to this is a quote from the book How to Win Friends and Influence People by Dale Carnegie: “Influence begins with genuine curiosity.” You can’t fake this. You can try, but your micro expressions, your non verbal queues are all hard to fake and that’s what people are really reading. I’ve found that your relationships are generally going to be defined by the most common situations where you interact.

  • Do you only interact when you need something?

  • Do you only interact when there is bad news?

  • Do you only interact when there is a stressful situation?

  • What is your demeanor like in those situations? It’s going to impact the other person’s perception of you.

Awareness is half the battle. Learn these subtleties and observe how they come out in your interactions, your emails, and your relationships. Lastly, within a career context, if you want to become an ally, and influencer, and a partner you need to expand your reach across the org and learn to speak their language. You will become an unstoppable force if you can expand and develop those relationships, those cadences, and those languages.

Final Thoughts

  • Pre-meetings, while time consuming, go a long way in helping you control the outcome of your ask or need. Learn about both support and dissent and proacively include them in your presentation even if they hurt your case.

  • Don’t surprise anyone

  • Pose your statements as questions

  • Do you know who your biggest antogonist is going to be? That’s who you need to meet with, hear out, and incorporate into your plan. If they can help you develop your plan you can create an ally.

Andrew Alaniz https://www.alaniz.io
Next

How to Prepare for Layoffs: Lessons From My First Time