Across the information security community, the “business leaders don’t understand the importance of cybersecurity” or “business leaders ignore us.” As someone who spent the better part of her adult life teaching, the issue lies less in not understanding the importance and more in understanding how to fix things.
When presenting in class, I used to make eye contact to determine whether students understood the concepts. The glazed-over, half-asleep look could mean one of two things: they were really overtired or they didn’t understand.
When in doubt, I always opted for confused. Cyber has professionals and business leaders, but it’s missing teachers. Leveraging English Language Learning (ELL) teaching strategies can bring both sides of the discussion closer together - building relationships and creating meaningful cybersecurity programs.
What Are the ELL Principles?
For many people, cybersecurity is a “second language.” The words may have one meaning in IT than in other areas, or they may simply be things that sound too difficult to understand. However, if IT professionals focus on the meanings rather than just the facts, everyone can make better decisions.
Learning, just like cybersecurity, is continuous. You need to continuously monitor what they know. You need to continuously assess their knowledge. You need to continually remediate problems.
Set a Purpose
Before going into a meeting, you create an agenda. Setting a purpose for discussions gives everyone the starting point. While everyone may know that the meeting is about risk assessing a new vendor or new tool, they may not understand how and why those risks matter on a deeper level.
This means that part of the purpose setting needs to focus on what you know about your audience, what they already know, and what you need them to know.
Frontload Your Lesson
Most often in education, we use the concept of “meeting students where they are.” In short, teachers make a lot of assumptions based on what they think students should know. Unfortunately, you know what they say about those of us who assume.
Activate Prior Knowledge
Find out not only what they know, but how they understand the concept. Someone may know the term “firewall,” but if they can’t explain the definition, then they don’t have the knowledge.
If you start with the basics, you’re more likely to create a meaningful context. For example, if you’re jumping into a conversation about a Software-as-a-Service provider’s security posture as part of vendor risk management, but the audience doesn’t understand why a web-based application is risky? You need to explain what the specific risks are.
No, you don’t need to say “SQL attack,” although increasing the meaningful vocabulary would help. Yes, you do need to explain how/why web-based application logins are dangerous in a way that people understand. “So, cybercriminals can change where the information in the login box goes which means they can gain access to the systems and networks.”
The most important part of teaching the business leaders cybersecurity is that then they can make connections between different concepts. To truly understand the business risks involved in a project, they need to understand why a vendor or operation poses a cybersecurity risk. In other words, they need to understand more than the way, but they need to get to the why and how.
Klingon and Buffy Speak: Why You Care
Ok, first, this post would get super boring otherwise. Second, let’s take a look at a non-cyber example before moving to cyber-specific.
Klingon: Different Vocabulary and Structure
Not only are the sounds entirely different from the English language, the order of the words differs as well. In English, we order sentences by subject (pronoun) -adverb-verb-time adverb. However, Klingon orders sentences differently, using time adverb - adverb - verb (with pronoun attached). Thus, not only are the words different, but the order as well.
For a lot of non-technology people, this is exactly what cybersecurity sounds like. A foreign language made up of sounds that make no sense and a nontraditional order of operations.
Slayer Slang: Transforming Language
Meanwhile, for a lot of IT professionals, business language seems equally disconnected from their reality. Buzzwords and jargon used by business leaders may not seem to mesh with IT needs.
As a long-time Buffy the Vampire Slayer fan, Slayer Speak acts as a great analogy here. Often, Buffy seems to speak with a pop culture focus that appears unsophisticated. Yet, the linguistic gymnastics baked into the Slayer Slang actually use words in unique ways.
For example, Buffy’s characters of use the word “much” at the end of a sentence, turning it into a rhetorical statement rather than the traditional adjective form.
Traditional: She spent much of her life in California.
Slayer Slang: California girl, much?
Slayer Slang also transforms nouns into verbs.
Traditional: He used an app to turn the photo into a cartoon.
Slayer Slang: He cartooned that photo
Finally, Slayer Slang uses “-age”, “-ness,” and “-y” to transform nouns or verbs into adjectives.
Traditional: She felt like a superhero
Slayer Slang: She felt all superheroey
While Slayer Slangs elicits laughs, sounding unsophisticated and youthful, the way in which it uses language are sophisticated. In short, it’s not that Slayer Slang is “stupid,” it’s that it’s “different.”
How Does This Connect to Cybersecurity?
One of the biggest disconnects in the cybersecurity realm is the difference in the way that information security professionals and business leaders think and talk. Business leaders approach technology looking to increase revenue, streamline business operations, and scale. Cybersecurity professionals approach technology looking at the likelihood that a cybercriminal will infiltrate the environment and ecosystem.
Thus, in the same way that business leadership’s goals and Slayer Slang seem banal, they also subvert traditional approaches to business and language. Meanwhile, cybersecurity often seems unapproachable until we break it down into something people understand and know.
All of this is to say that way in which we make connections between Klingon and Slayer Slang to communicate better, we can also apply those strategies to information security conversations.
Frontload the Lesson: Make Training Meaningful
Anyone who’s ever taken a standardized test knows that multiple choice questions fail at assessing deep knowledge. Moreover, many trainings fail at providing insight into how well staff, specifically c-suite in this case, can apply the information. To change the conversations, we need to do a better job of meeting employees where they are and then building that information into knowledge.
Identify the Objectives: Giving the C-Suite the Vocabulary
Let’s start with the basic concepts. We spend a lot of time in cybersecurity explaining how to protect from phishing and spear phishing attacks. In fact, chances are you have several trainings that you make your staff take. Yet, we still see that phishing is one of the primary threat vectors. So, clearly, if employees are taking the tests and passing them, there’s a problem.
What’s the real issue? They don’t understand why the phishing attacks matter other than “they let cybercriminals do bad things.” Let’s look at how we can change the way we give information to increase effective communication by applying teaching strategies.
Lay Out the Foundation
Email is a primary threat vector for several reasons. First of all, we all know that all addresses within a company follow a pattern:
We also know that people continue to create weak passwords because they find memorizing a lot of login information burdensome:
- Most users include “password” in their password
- Most users use date/season as password (August2017 or Spring2017)
- Most passwords use “123” somewhere in the password
The c-suite knows all of this. But in reality, while everyone knows this, things aren’t changing. So maybe we need to create conversations that focus on the why and how more than that what .
For the CISO, we need to not just explain the basics and give the context, but we need to give information to take the conversations from “what you know” to “what you need to know.”
How to Identify The Objectives
Thus, we need to start by taking the c-suite needs into account. Most likely, the c-suite will tell you that the reason they need email and integrations is twofold:
- Email Functionality
- Streamline communications
- Enable better response times
- Documenting conversation
- Employee Enablement
So, while cybersecurity professionals understand the risks and, in many cases, the business needs. We often focus on our side of the knowledge equation rather than both.
Make Connections: Take the Basics, Apply the Information
Once you’ve created a shared vocabulary, you can find the commonalities that promote meaningful conversations about security, risk, and compliance.
As a CISO, your concerns are that hackers use software to make guesses. Thus, if they figure out the formula the company uses they can run software to look for weak passwords across the organization. Then, the c-suite will be able to connect “weak passwords” more specifically to enterprise risks.
Scaffolding: Build on the Basics
In education, scaffolding is the way in which teachers build on the basics to help grow knowledge to move into more complex concepts.
Most corporate phishing trainings stop at “don’t click because of malware.” Unfortunately, by not going further, the trainings don’t explain the nuances that people need.
The next step to meaningful education lies in building on that first lesson.
The G-Suite Example
The c-suite knows that to scale and enable business operations, they need to use cloud and web-based applications. Thus, Google’s Business Suite provides an understandable real-life example of the impact phishing can have.
- Logging into G-Suite requires a corporate email and password.
- A phishing attack that downloads malware can obtain this information.
- A weak password that cybercriminals can guess means that they can obtain access to the Google Suite.
- It’s not just that the individual applications are compromised, but the entire data environment.
Building on the initial vocabulary and training not only allows you to discuss things more purposefully with the c-suite but also builds better cyber hygiene.
Stay tuned next week for "Translating Klingon Into Slayer Slang Part 2: Applying The Concept-Oriented Approach to Risk Assessment Conversations