Waiting on the world to change
By Katherine Teitler
December 21, 2016
The New Year is close upon us and many security firms and media outlets are busy publishing 2017 predictions or “the year in review.” Rather than following suit, I’d like to propose a New Year’s resolution to all security practitioners (and office workers, in general, really):
May we work to improve our communication skills and thus become better corporate citizens and more effective security practitioners.
Me and all my friends
As the saying goes, “communication is key.” What this means, practically, though, isn’t quite so straight forward. “Communication,” as defined by Merriam-Webster, is “an act or instance of transmitting; information transmitted or conveyed; a process by which information is exchanged between individuals through a common system of symbols, signs, or behaviors.” That sounds pretty simple, right?
Unfortunately, it’s not. While perhaps “transmission” is a technically correct definition, actual communication only truly occurs if the information transmitted between entities is understood by both entities. In the best of circumstances, the information that is transmitted—communicated, if you will—is understood clearly and is useful to all parties involved.
We’re all misunderstood
Communication issues are certainly not unique to the security industry, although industry practitioners frequently talk about improving how security communicates with and presents to the business/executives/the board, how to work more cooperatively with IT and operations, and how to translate technical subjects into language the business can consume. On top of that, there’s the longstanding perception of the security guy/girl as a loner, an ornery introvert who takes a contrarian position on just about anything involving IT—a perception security professionals, themselves, haven’t worked too hard to counteract outside of the security community itself.
Looking at the above, security practitioners seemingly have a greater hill to climb when it comes to communication. What I’ve found, though, is that even though security has its own quirks and tendencies, every other department also has its own set of inclinations. And there’s the rub: As business owners and employees, we all have to communicate with different personality types; because “communicate” really means more than just, “tell the other person/people what you want to convey,” communication gets tricky quickly.
Many definitions of and advice on better communication abound, but let me provide an example of a recent communication disaster I witnessed, to illustrate.
They say we stand for nothing
A program director contracted a security subject matter expert (SME) to write an online security course for the contracting company’s e-library. When the SME was first contacted, he was told the company was looking for an intro-level security course that allows students to self-guide and learn at their own pace. The course only needed to be “thorough” and fulfill a certain number of continuing education credits (CPEs). The program director enrolled the SME in another (non-security) course so he could [SIC] “get a feel for what these courses are like, etc.” The SME was given an initial deadline for course materials, and off he went to write his course.
When the time came, the SME submitted his materials to the program director, who looked at the materials and thought, “There’s not enough material for this type of course!” He contacted the SME and said “more material” was needed. The SME asked “what more do you want,” but the answers he received were not clear to him. What the SME heard over and over was, “More detail, like the example [of the unrelated course] I sent earlier.”
This unproductive exchange continued for two weeks until a phone call was scheduled (hint: speaking is always a better way to sort out miscommunication than email). During the call, however, the program director continued to use the same sort of words and tactics with which he was familiar and the SME continued to not understand what else was expected of him, since he felt he’d provided plenty of detail in the content of the course materials.
There’s no way we ever could
Frustration prompted both individuals, whom I’ve known for a long time, to contact me and ask for help. Because this was not a type of program with which I am familiar, I was only able to offer limited advice. After hearing a little about the program and skimming through both the sample materials and the draft materials submitted by the SME, I saw immediately that what the program director was looking for was not necessarily more “detail,” (which was never described in the first place), but a lengthier presentation overall. Because this course was intended to be self-study, the program director wanted all of the SME’s talking points written in the materials—the “talk track” to the slide deck accompaniment. In the SME’s mind, though, the “talk track” was already there because he was automatically filling in those additional points in his head as he wrote out the slides. The SME understood the overlay information, but it wasn’t apparent to the program director. In the meantime, the program director felt something was missing from the course yet didn’t know what to ask for.
When I spoke to the program director, he insisted he’d explained what he had wanted “the first time” they had talked. When I talked to the SME, he said he hadn’t received any instruction beyond, “more.” To the SME, the materials he’d submitted were the baseline that needed to be tweaked. In the program director’s mind, the SME had no clue how to write a course.
The two weren’t communicating at all, despite information exchanged verbally and through emails.
We just feel like we don’t have the means
In this particular example, to clear up the confusion, what was necessary was for both parties to step back and ask themselves: “What am I not saying? How can I alter my message so that it’s (more easily) understood? What questions do I need to ask the other person to be able to understand how I can help him?”
The goal of communication is to provide information needed by the other individual(s) that allows you to get what you need. That need might be course materials. It might be a pancake. Or it might simply be an understanding of the information delivered. In any case, “communicating” isn’t dumping information on another person and assuming they’ll receive the message the way you intended. Nor is it helpful when the deliverer of information insists on being “right.” Sometimes a message needs duplicated iteration; sometimes the message needs to be modified entirely. We generally all know what we mean when we deliver information. Just because something makes sense in our heads, though, that doesn’t translate to understanding by someone who is not us and has different thought processes, environmental considerations, task lists, perceptions, etc.
To rise above and beat it
The best advice for communication I’ve ever heard was: Start asking more questions. This is true of the conveyor of information as well as the recipient. In other words, if you’re the person relating information, ask, “Does this make sense? What else can I provide? Do you have everything you need? Does this work for you?” If you’re on the receiving end, “Can you provide examples? What else are you looking for? How will [whatever is being provided] be used? Do you have a preferred method/format for receiving the information? With whom will you share what is provided?”
These types of questions are just the tip of the iceberg when it comes to communication, and learning how to communicate better isn’t a simple task—we are all hardwired with our own personalities, preferences, and communication styles.
To become a better communicator, whether you’re a CEO, CISO, or comptroller, the key isn’t “just” communication; it’s learning how to deliver information in a way that makes sense for the listener and that which helps you achieve your goals. Good communication, at its core, is not about making someone see your point or hear your message; it’s all about helping someone else understand.
More Infosec Articles