Security professionals at the most senior level more than ever before need to have the prerequisite skills to effectively communicate the value of their teams’ efforts across the organization by building strong connections with department leaders and upstream to the C-suite and Board of Directors by speaking in a language the executive level is accustomed to hearing: The language of enterprise risk.
Often there is a temptation to inundate key executives with complex data on the threat landscape coupled with reams of attack information gleaned from network monitoring tools in an effort to compel a sense of urgency and import, which most often results in the audience feeling overwhelmed and the message being lost as they tune out.
To understand better how we as security professionals can hone our messaging and accomplish the level of response we hope to elicit across the organization and up the corporate food chain, we spoke at length with Michael Santarcangelo (@catalyst) of Security Catalyst, widely recognized in the field as an effective communicator and advocate for change and improvement.
Santarcangelo draws on nearly two decades of translating the complexity of security into transformative experiences. With a background that blends security with the science of human ecology, Santarcangelo developed, applies, and teaches about a system designed for individuals and organizations to effectively communicate value.
Santarcangelo works to advance and share the art and science of this practice through speaking, training, and consulting sessions with Fortune 500 and other large enterprises, and has a regular column in CSO Magazine.
Santarcangelo believes that despite our best efforts to better connect security operations to the core objectives of the businesses we serve, we still have a long way to go, with some key obstacles to effective communication being our ability clearly define a common vernacular.
“The trick to this question is the perception and meaning words like ‘security’ and ‘enterprise risk management’. In my experience, those words mean different things to different people, even within the same team or organization, which means there is no definitive answer,” Santarcangelo said.
“The best approach is to clearly define the terms, or even use different words altogether, then focus on functional outcomes of value to the business, and learn to communicate what really counts.”
Santarcangelo says that first we need to learn the fundamentals of communication in general, and to dispel the common myth that communication is merely an innate soft skill that some lucky people are just born with.
As such, people tend adopt an attitude that they are unable to learn how to communicate effectively – or even worse, that they don’t need to. Santarcangelo says this myth is often compounded by the notion that ‘introverts’ necessarily will always struggle with communication, coupled with the generalization that most of us in the security and technology fields are introverts, and so we are not good communicators.
“Both myths need to die a slow, fiery death. Both are false,” Santarcangelo suggests.
“Introversion and extroversion are less about interpersonal skills and more about where we draw energy from. Most people would be surprised to learn I’m naturally more introverted. I draw on my own energy, and as a speaker I routinely blend with and amplify the energy of others. That makes me an ‘ambivert’ of sorts.”
Santarcangelo says that anyone who decides to put in the time and effort to learn, practice, and develop effective communication will eventually succeed, but that few people make this commitment to themselves and to their careers.
Aside from learning and developing personal communication skills, Santarcangelo says we as security professionals also need to focus on translating technical knowledge into functional outcomes that resonate with the business.
“I worked on an effort years ago where the security team focused on using complex jargon related to the proposed the solution. A year later, they had nothing to show for it except they had upset the organization’s leadership,” Santarcangelo explained.
“They called on me to step in and try to get things moving. We slowed everyone down, completely tossed out the jargon and used a whiteboard to draw up the process flows. We simply focused on the current situation, the desired outcomes, and on the the steps we needed to take in order to to get there.”
The result was that a costly year of impasse and anger was resolved in 24 hours with the use of simple drawings and by shifting the conversation to focus on the functional needs of the business, not the technical needs of the security team.
“Effective communication is a process, not a product,” Santarcangelo said of the experience.
“Though it sometimes takes longer than most people expect, and it often requires a lot more effort.”
Stay Tuned for Part Two of our Interview with Michael Santarcangelo…
- Consequences Matter, Assets Don’t – At First…
- Effective Communication in IT Security
- Four Things You Should Teach Your CEO about IT Security
- Infosec Gurus on Positioning Security as a Business Enabler
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock