Australian Security Magazine, Apr/May 2016

Page 22

Cyber Security

Effective communication skills By Mike Schuman

E

ffective communication skills are probably the most important attributes a cyber security professional or any senior leader can have: here’s why. I wrote this article to explain how ineffective communication can erode your credibility with the C-suite, and explain how a good communicator, who delivers succinct and accurate briefings to the executive, will command respect and engender belief in the security team. Let’s start with a situation… THE INCIDENT You’re the information security manager for a large corporation. It’s just turned 4 pm on Friday afternoon and you’ve taken your team to the pub for a well-earned beverage. Your mobile phone rings – it’s your service delivery manager – something’s happened at one of your major sites. Users are reporting issues accessing their files. You ask, “OK, so how is this a security issue? Have you spoken to the infrastructure manager?” The reply is the last thing you want to hear, “We thought it best to call you because the error message said, ‘Your personal files are encrypted.’ The message may have looked something like the dialog shown in Figure 1. Figure 1 Typical Ransomware Dialog Box Demanding Ransom

You sigh, thinking to yourself, finally, it’s happened. You’ve been protesting for years that your organisation is vulnerable, but you now have a fully blown incident on your hands. What

20 | Australian Security Magazine

could you have done differently? Why wouldn’t they listen to your warnings? Are you now going to be able to say, “I told you so!”. It’s time to stop and take a deep breath. Could it be your own fault that you’ve been unsuccessful in getting your initiatives over the line? Let’s go back and take a look. LOOKING BACK For years, I’ve worked very closely with IT security professionals. At times, I have even walked in their shoes. Years ago, these dedicated crusaders didn’t get much airplay with the executive, since security was a backroom activity for the true geeks of the IT team. Some would say this is still the case today, however, security has always had somewhat of an antagonistic relationship, even confined within the IT organisation. Behaviours that permeated security teams at that time included: • Empire building: The desire to build larger teams and add new security infrastructure (or take control of hardware from other teams) • Chicken Little communications: Articulating scenarios in emotive and inflammatory tone in order to win favour for big programs of work • Power trip: Locking down access, authorisation without business engagement and treating assets as if they are wholly owned by the IT security team • Crisis driven: Chasing the spread of viruses across the globe and focussing on where to attribute blame • Drowning in policy: Creating ever more restrictive security policy, instead of looking at causal factors and security awareness Over the years, I have seen IT Security business cases with no numbers and a great deal of inflammatory language designed to elicit emotional responses. That emotion is fear. In business, however, fear is not going to drive C-Level executives to knee-jerk decision making. Yes, I hear you…You are the subject matter expert! You know more than those silly execs! SO…why isn’t anyone listening to you?


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.