So how does a communication skill set gap impact cybersecurity? Well, I am glad you let me ask that question for you. If you have been reading along with the gang at home you might have read comments from me around the almost obsessive need to have more and more terms, acronyms, etc. in the technological world. These terms, which at times cover detailed topics, are picked up by marketing and tossed around with not much in the way of explanation. Yet consumers (even business consumers) are expected to know what they are and the context behind them. I had a chat with Christopher Henderson, senior director of threat ops at cybersecurity company Huntress, about this issue and how it impacts not only staffing decisions, but also the security landscape in general.
In cybersecurity land there has been a disturbance in the … no wrong script... there has been a bit of a shift in people who are driving the industry. I have called this the change from geeks to businesspeople. The businesspeople are interested in outcomes, and cost centers. The conversation tends to be very nebulous and focused on what seems like short term gains rather than core issue remediation. Into this mix was born (or evolved) the MSP, MSSP, and cloud provider who is there to take on your operational and security burdens. However, this also meant that an understanding of the core issues and first principals now have shifted out of the hands of the business owners (and executives) so meaning, context, and nuance of these items gets lost in the background along with that nuance and context are any conversation around value.
Now while nuance and context are still very, very important value is potentially the most important thing that is lost. It is the why in the conversation and it is also one that too many of the new class of technical people are ill equipped to express. Now let’s complicate the matter a little more. Christopher and I began the conversation about frameworks, regulations, and audits and I can tell you this is where the fun begins. If you have spent some time reading over different frameworks, you might notice that they are not written in what you might call plain English. They tend to be technically vague with some minor direction on what needs to be accomplished. Some of this vagueness is intended to allow an organization to implement the controls of their choice if the item is covered. If you are not technical enough to understand the concept behind the intent, you can end up either implementing the wrong control, or not doing anything at all. I have personally encountered this with clients where they misunderstand something in a framework or regulation and end up getting an audit and now must explain why they did what they did.
Now here’s the rub on this one. I have also sat in on conversations between a client and an SME (subject matter expert) where they were incapable of communicating how their product solved a client’s needs. From the chair I sat in, the client presented what the problem was, and before digesting and understanding the problem the SME was already presenting a solution. The client asked for more information on how this solved their problem, but the SME kept going back to high level concepts with no context or value to the client. What makes this anecdote even more frustrating is that the solution was a good one and would solve the problem. The SME just could not properly communicate it and the client was unable to communicate their concerns properly. I stepped in to translate and the deal was made. Still this type of exchange happens all the time where both sides are shouting into the wind with neither side understanding the other.
So how do we fix this? Christopher brought up a few items such as finding ways to highlight or celebrate proper communication of complex topics. Not just spew out highly technical (or marketing term laced) articles where the readers are nodding their heads like Joey from “Friends” while not getting what you are saying. He also mentioned a focus on communication during the talent acquisition phase. This can be accomplished in a few ways. One of my favorites is to present a complex problem and ask the candidate to solve it. The problem should have an answer, but that should not be the focus. Ask the candidate to show their work. This means they must communicate with you to show they understand the problem and can convey that to someone. It also gives you a chance to see how they logically approach something and when they might need to ask for guidance as a bonus. Another is to hire for comprehension and communication skills and teach the technical internally. Both have their pros and cons. Yet another option is to include communication skill training for employees. Much like it is generally assumed that people know how to properly use a computer, phone and productivity software, there is an assumption that they know how to communicate. Sadly, this is not always the case. There are more and each company should identify how they want to approach this issue so that it can be solved for.
No matter how the communication skill set gap is addressed it is one that is an important part of building a security culture inside of a business. Being able to properly communicate can also help people build bridges between teams that are often at odds simply because there is an effective way to explain the “whys” in an issue. Good communication skills may also help us move the security needle a bit as you can now talk the value of a proposed solution instead of focusing on just cost.
Ok. Soapbox put away, for now.