Why Security Communication Matters More Than Ever.

Ellie Hurst, Head of Marketing Communication and Media at Advent-IM and a finalist in the Cyber Writer category in the Security Serious Unsung Heroes Awards 2019.

I joined the security industry a little over eight years ago and my role is Head of Marketing, Media and Communications for an independent holistic security consultancy.

Working in a communications type role, means one gets to see a very wide variety of business challenges. Working in a communications role in the security sector, means that I get to see a wide variety of challenges, in a wide variety of roles, in a wide variety of security functions or silos. My initiation into security feels like it has only just got underway and every day is a school day. Socrates was right and the only true wisdom is knowing you know nothing.

The bad news is, broadly speaking, security communication is failing. By this I mean users are still being sold magical cyber amulets, businesses and security teams are still not talking the same language, security still struggles to be understood in the boardroom and wider business and FUD still rules the editorial and marketing waves…. with some notable exceptions (see the shortlist for Security Serious Unsung Heroes Cyber Writer awards).

Are we trapped into the madness of doing the same things over and over and expecting a different result? Well, security breach and incident levels, across a variety of studies, is apparently in double digit growth, as is cyber security spend. Now, I am no mathematician but clearly something isn’t working and how we communicate security must shoulder its fair share of responsibility.

All of this is happening against the backdrop of an increasingly volatile threat landscape and unprecedented levels of demand and expectation of security professionals. Businesses have separated security off in so many ways and yet, at the same time, expect security to positively impact end users and without saying, no, to anything.

Users don’t really understand, possibly through lack of training and awareness, the role that they play in their organisational security. This doesn’t mean that they are ‘stupid users’ but that the security blind spot is frequently people and businesses rarely invest enough time or money into creating aware and well-trained users. Sadly, this tends to make them more of a threat and less of an additional line of defence. If ever there was a function misunderstood and widely underappreciated, it is security and business’ current relationship with security simply isn’t sustainable. The question is what we do about this?

We all know that communication goes both ways and security is not always its own best friend when it comes to talking to business and boards alike. Some research compiled by Osterman1, a while ago which I believe is still valid, asked business leaders and security professionals how the communicate with each other and what the results were. As it transpired, the results were scarier than a product presentation at a security expo; leaders said they needed reporting that was less technical and more insightful, whilst denying they had any problem understanding what they were currently being given.

At the same time, security professionals said they knew their boards did not understand what they were being given but the directors would not communicate with them about what they actually wanted. The upshot was that many respondents felt that risk was not actually reduced as a result of their interactions… leaves you wondering what everyone thought they were doing really, doesn’t it? Whilst we are talking about research, you may also wonder why 2most board members and senior executives responsible for their organizations’ cyber risk management spent less than a day last year focused on cyber risk issues.

Because we have embraced technology so much more readily than its security? Because security is someone else’s problem? Because security always says, no, so they are always last to the party and forced to retrofit a solution? At least we can start to see why in part, increased spend hasn’t equated to reduced incidents. The joined up nature of cyber criminals and their wealth of effective and increasingly honed tools can’t be minimised, of course.

My vision for security communications sees security professionals supported by their users, because those users understand the part they play in every day security. Boards free to admit and talk about what reporting they need to see and how they need to see it; increasing their interaction and connection to security strategies that become increasingly business supportive. Also security professionals acting as expert and valued advisers to their businesses and by tailoring their own communications, ensuring best outcomes rather than using the same security lexicon, multilaterally.

Finding ways to do this, preferably in a cost neutral way, is a challenge. I feel communications teams offer part of the solution to some of the problems I have briefly laid out here. Using them to help create security board presentations and reports, security training materials and inter-departmental communication, means that a. the business lexicon can be adopted by security, making their communications more effective and reducing risk through understanding and b. an appropriate security lexicon can be built and moved through the business with every communication; board and user, alike.

I believe that the future belongs to those who will embrace the communication change; leaders, users and security professionals. It’s not going to be easy, but nothing truly worthwhile is. #JustSaying

1. Osterman Research (2016) for Bay Dynamics “How Boards of Directors Really Feel About Cyber Security Reports” and “Reporting To The Board, Where CISOs and the Board are Missing the Mark”
2. 2019 Marsh Microsoft Global Cyber Risk Perception survey