When you’re talking information security among your peers, it sounds like a totally different language than the rest of your organization speaks. But as technology increasingly becomes ingrained in nearly every corporate function, it’s up to you to become a “bilingual” communicator so you can educate the key company stakeholders about cybersecurity’s best practices.
Here’s why information security communication matters:
- A survey at the Black Hat security conference found that 84 percent of cyber attacks reported had been due to human error.
- What’s more is 41 percent of board members admitted they lacked expertise in cybersecurity, and 26 percent said they had minimal or no knowledge of cybersecurity, as per a Fidelis Cybersecurity Survey.
- In an Accenture survey of more than 1,400 C-suite executives, including Chief Information Security Officers (CISOs), respondents believe cyber risks will only continue to grow as IoT technology (77 percent), cloud computing (74 percent), and sharing data with third parties (70 percent) become more widely adopted.
- Despite acknowledging security gaps, however, just 25 percent of those in executive/management roles said they were extremely concerned about their company’s level of security today.
This puts infosec professionals in a bind. On the one hand, security vulnerabilities exist throughout the company. Yet you, alone, are carrying the burden of knowing just how serious it can get. That’s why it’s up to you to create an information security communication strategy to make sure that the powers that be understand the security risks, what procedures can help protect the company from a potential breach, and why it’s within everyone’s best interest to get on board with security measures.
While it might have been OK for tech talk to remain within the silo of your department back in the day, you’re going to have to tone down the IT security terminology if you want to get others to understand what’s at stake. Namely, the ubiquitous electronic data flow we have today means that sensitive information, your company’s reputation, and the bottom line are at risk 24/7.
The question is: What can you do to convince the higher-ups at your enterprise organization that cybersecurity is everyone’s problem?
How to Evolve Your Communication Strategy
Just like how technology is continually advancing, so too much your communication skills set. Here are some strategies to help you make sure the gravity of cybersecurity threats are not lost in translation.
Scale it down, and put it in writing.
You can’t help talking in technical terms, but when you’re among upper management, you need to simplify cybersecurity issues into an easy-to-comprehend language. Use metaphors if you have to – the idea is to break down complex topics as if you were explaining it to kids. Better yet, create a formal presentation using visual aids, something corporate types are comfortable navigating.
Enlist cybersecurity evangelists across departments.
The people on the front lines of your company’s data – salespeople, marketers, developers, customer service – all need to be aware of security risks. By creating informational packets or training that is team-specific and that demonstrates how cybersecurity affects their jobs, it gives leaders more incentive for wanting to spread the message.
Create simple security bulletins.
Intensive cybersecurity training can be overwhelming and time-consuming, but gentle digest-sized guides and tips can go a long way. Send out a weekly newsletter or post up flyers with some “cybersecurity 101” concepts so they eventually become well known. For instance, things like remembering to make sure a site is legit and secure before filling out any information or explaining how a phishing scam works.
Perform tests to create teachable moments.
Have your team periodically send out a fake phishing email to get a sense of how many people fall for it. From there, you can report the findings to the organization as a whole, or counsel the individuals who fell for the scam. You might even decide to implement something like Cisco’s Security Ninja training program. Their employees earn new belt levels with each level of training they complete. And when they do testing, Cisco sends employees who click on malicious links to the “Phishpond,” an interactive training site that illustrates what they did wrong.
Learn their language.
Good communication is not just about trying to translate tricky cybersecurity concerns. It’s also about becoming knowledgeable about the business so that you can consider security matters through an executive lens. Becoming conversant and incorporating business terms like bottom line impact, productivity, and company reputation into your communications will help your message better resonate with C-suite executives.
By learning to speak in terms that the stakeholders can relate to and putting a plan in place for training and ongoing communications, you’ll strengthen the information security of your company from within.
Sidebar: Glossary of Cyber Security Terms
As you ramp up your information security communication, start by sharing key IT security terms with executives and department heads in your company. Start by making sure that everyone understands this glossary of cyber terms:
What To Say: Cloud computing technology is what allows you to perform our daily jobs over the internet and via a variety of devices. It means that our systems, programs, and data are powered remotely so our company does not have to maintain the infrastructure on-site. It saves us money, increases our connectivity, and allows the organization to scale as needed.
What To Say: IP is similar to your home address. It’s a unique address that identifies a device on the Internet or a local network, and it’s made up of four sets of numbers from 0 to 255, separated by three dots.
What To Say: A virtual private network can help protect our company network when you work from home or on your own personal device. It encrypts the data and adds an important layer of protection so that people can’t hack in through your network.
What To Say: This is important technology that blocks unauthorized users from accessing the company’s network or data. So even though it might slow you down sometimes and stop you from downloading something, it’s very necessary.
What To Say: You know how you have to request text or email code in order to log in to a specific website sometimes? That’s what this refers to -- a security protocol that adds extra layers of security by asking for multiple forms of identification.
What To Say: The word is a mash-up of malicious and software, and it’s exactly what it sounds like. It’s a blanket term for any software or code that is used to penetrate or damage computers, networks, and/or servers or provide unauthorized access. Worms, viruses, and ransomware are all types of malware.
Phishing, Spear phishing, Whaling
What To Say: When cybercriminals try to trick you into clicking a link, filling out a form, or performing some other type of activity, it is called phishing. Usually, you’ll get an email that looks like it’s coming from a legitimate sender, and it will send you to a real looking website. It looks legit, so you feel OK about entering your information, but it’s a scam. Most of the time, these attacks are random, but if you’re targeted specifically, that’s called spear phishing; and if it’s targeting a corporate exec, it’s sometimes called whaling.
Insider vs. Outsider Threats
What To Say: Insider threats could come from a disgruntled person who works at the company or perhaps a former coworker who purposely tries to wreak havoc on the network, leak sensitive information, or steals company information. Outsider threats infiltrate the company from the outside, looking for vulnerabilities. This is why you should never share your login information with anyone -- even a work colleague.
What To Say: This is another term you may hear, but it simply refers to using manipulation to get people to give up sensitive information, click on malicious links, or downloading viruses. Phishing is a type of social engineering.
Distributed Denial-of-Service (DDoS) Attacks
What To Say: Imagine you try to login to your system to do your work and you can’t. The system is stalled, or it keeps locking you out or crashing. It could be that your company is experiencing a DDoS attack that overloaded the systems in order to prevent you from doing your job.
For a deeper dive on topics like this and others, you still have time to register for the 25th annual InfoSec World Conference & Expo in Orlando, Florida. Here's everything you need to know.