The acquisition of nCircle earlier this year has greatly increased Tripwire’s scope and ability to deliver value. In bringing the two companies together, we have learned a number of lessons, many of which are simply about bridging cultures.
Many of the issues we have tackled are relevant to any situation in which two different organizations are coming together. Here is one that might be relevant to security professionals in their attempts to work and communicate with the business – the need to align on the meaning of words.
As a leader in R&D, I have of course been most focused on bringing together our R&D organizations. Probably the most surprising aspect of integrating departments has been the disparity in the meanings of what we had assumed were well-understood words.
The kinds of words that software teams use all the time – agile, services, libraries – at times meant vastly different things between the two groups, leaving a great deal of room for misunderstanding.
Nobody was wrong about their use of words – but the words we use are loaded with concepts that we have built up over time based on our own career and life experiences. Tripwire recognized this dynamic quickly and has since worked to explicitly reach a common vocabulary in order to maintain alignment.
Our lessons around vocabulary occurred in a pretty ideal situation between extraordinarily similar groups – what percentage of people in the United States have a computer science degree and deliver information security software in an agile development center? And yet despite the parallel educational and career backgrounds, we were sometimes far apart when it came to our understanding of the words.
If that kind of misalignment on language can happen between such like-minded groups, how large of a gap might show up in interactions between a highly-technical security department and a non-technical business-minded executive team? When you’re trying to justify your budget with those words, what impression is your audience walking away with?
What loaded words are you using within your security organization that you assume your senior leaders understand in the same way you do? The security industry uses a number of terms that are common English words – risk, vulnerability, threat – that someone speaking plain old English might consider subtly different synonyms.
Do the decision-makers in the organization carry the same understanding of those words that you do? Your CEO is probably not reading security trade magazines, nor should he be – he is hopefully off reading articles about how to make his employees rich and happy.
Which is all just to say, when you go to your company leaders looking for decisions or funding, you might consider taking some time to make sure they understand the meanings of the actual words you are using.
The distinctions between concepts are often important, and in many cases the actual definitions of some of the words can change the perception that they will leave with and decisions they make.
- Whose Responsibility is CEO “Tech Literacy?”
- Amar Singh on How CISOs Can Connect Security to the Business
- Michael Santarcangelo on the Value Imperative Mindset in Security
- Four Things You Should Teach Your CEO about IT Security
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock