Security professionals have many tools in their toolbox. Some are physical in nature. (WireShark, Mimikatz, endpoint detection and response systems and SIEMs come to mind.) Others not so much. (These assets include critical thinking faculties, the ability to analyze complex processes, a willingness—some call it a need—to dig in and find the root cause of an issue and a passion to learn and keep learning.) One such tool that’s often overlooked is, communication. Regardless of where you are in your security career or what you do, you need to communicate with others, written and verbally. Sometimes to explain a risk or vulnerability to the business. Sometimes to explain why you need, or do not need, a new tool to management. Sometimes to explain the requirements of new functionality to developers. Whatever the reason, miscommunication can cause confusion, produce inefficiency and lead to frustration. I will skip over the foundational aspects of good communication such as honesty, reliability, consistency, good grammar, excellent spelling and legible handwriting and instead jump to a few less-thought-of ideas which I have found to be roadblocks in my own experience.
Be succinct
I am guilty of writing 100 words when 10 will work. Of continuing to babble long after my message has been delivered. For me, it is primarily to ensure my message is coming across, that my audience understands. This tendency stems from a lack of confidence in my ability to communicate. People are busy, and the means of communication are inefficient. It can lead to confusion as well as watering down the message. Say there is a vulnerability affecting Windows and Linux. You need to inform your management of the vulnerability. If your company doesn’t use Linux, then don’t bring it up. Do not go into the technical weeds of the vulnerability unless it really adds to the point of the conversation. Sometimes, it will take a thousand words. If it does, make sure to pause. Silence is OK. Give your audience a chance to digest the information and ask questions.
Know your audience and be clear
Do not muddy the water with unnecessary information. Do not use different terms for the same thing. Explain terms, acronyms, techno-slang or whatever you want to call it if you think there is even a chance your audience might not know it. This becomes increasingly important as you cross business boundaries or move up or down in an organization. The level of information and the way you present it to the person remediating an incident is different from the level and way you present it to management. Even though it is the same topic, they need to know different things and have different levels of understanding. I am not saying you should dumb down the topic. Security is complicated. Security decision-makers need to understand the issues. However, don’t use super cryptic terms and concepts just to sound important or to have the topic sound important. This just leads to misunderstandings or the audience tuning out. It could also adversely affect any future communication between you and the audience.
Be realistic
With media turning every vulnerability into the next EternalBlue or Purple Starry Panda (whatever), we need to ensure that what is important to us, to our organization, is what is communicated both up to management and to those making the changes. We need decisions based on accurate facts, not hype. Ever talk a decision maker off the ledge because they were given inaccurate information about how bad a vulnerability really is? Ever over-emphasize the danger of a vulnerability because you want to implement something? Instead of over-emphasizing, find a different way to communicate the need, the importance. Do not leverage the audience’s fears or misunderstanding.
Communication is a two-way street
If you are the audience, your communication is equally important. Pay attention. Put the phone down. Guessing I am showing my age, but if I am talking to a group or an individual, I find it disrespectful if the audience is concentrating on their phone or other things. I understand some of us are on call. If it really is urgent, interrupt the speaker, do what needs to be done, then ask the speaker to continue. Ensure you understand. Ask clarifying questions, reword what they said into your own terms and ask if that is what they meant. Sometimes, this is hard, especially if you are the only person in the room who might not know a term or concept. However, if the speaker will ask for your opinion, wouldn’t you rather understand the topic and give an opinion based on what you know versus a guess? I am under no misconception that hundreds of people will read this or that all who do will have profound epiphanies. I hope someone takes something away from it. Some readers will disagree with the content. Some will not make it past the first paragraph (or even the title). Has this message been published before? Yes, and better. Does this mean I shouldn't have written this article? No. Maybe, just maybe, someone will read it and learn something. Maybe my way of communicating will resonate with someone where previous articles have not. Regardless, it is a chance for me to sharpen my communication skills. Practice is the only way to get better. Take all opportunities to practice. Try practicing a conversation with a co-worker before going to the intended audience. Ask others in the know about the audience to help prep for the level of information to provide. Keep communicating and sharing, and your skills will improve.
About the Author:
Scott Worden, Security Engineer at an insurance company in the Midwest. Scott’s primary responsibilities are threat detection, threat response and helping to mature the security operations center in which he works. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc or the company for which he works.
