Security Careers: Responding to questions successfully

Michael Santarcangelo tells us why explaining the reasons behind security policy, rather than relying on a quick answer, can go a lot further toward employee compliance and understanding

Michael Santarcagelo, security career catalyst

"Why can't I used my iPhone at work?"

A simple, common question asked in organizations around the world on a daily basis driven by policies against using iPhones, iPads and other "unapproved" portable electronic devices. As a result, questions abound.

And that's a good thing.

What is more versatile and powerful than a question?

A simple approach to learning, sharing, teaching and exploring, questions are as much art form as workhorse of our ability to communicate. While learning how to ask questions and listen to answers is important, an often-overlooked key for career success is learning how to respond.

When someone asks a question, what is your response?

We are asked dozens, maybe hundreds of questions a day. Are these questions treated as interruptions to be dismissed as quickly as possible, as personal challenges, or are they given consideration and addressed with the right response?

See also: 4 reasons why executives are the easiest social engineering targets

During a recent awareness assessment — where we understand key behaviors, opportunities and challenges — one of the participants explained, politely, that the current policies prohibiting iPhones were misguided, restrictive and unenforceable. The anonymous response ended with a question, "if the policy isn't going to be enforced, why restrict us?"

Great question.

This is why questions are so important. Individuals ask questions for a variety of purposes — to find out if they can do something, to understand a situation, to make a decision — all focused on gaining information. Now, while many questions require a simple yes or no answer; a question like this is an opportunity to share an explanation.

Consider this:

  • 12 percent of employees reported intentionally violating company policies in a survey conducted by Fiberlink; in my experience, the actual number is likely to be even higher.
  • 90 percent of employees reported their own ability to manage risk as good or excellent (good enough they'd bet their paycheck on it) in a recent Awareness that Works" assessment I conducted (Security Catalyst, Spring 2010)
  • 35 percent of respondents have felt the need to work around their organization's established security policies and procedures just to get their job done
  • Nearly half (41 percent) of the respondents have determined that employees have been using unsupported devices, and more than one-third of that number said they have had a breach or loss of information due to unsupported network devices.
  • 65 percent of respondents frequently or sometimes leave their workplace carrying a mobile device such as a laptop, smartphone and/or USB flash drive which holds sensitive information related to their jobs.

From the information above —and our own experience — it is clear most employees are aware of policies against unapproved or personal use of mobile devices. But they are also willing to ignore these policies — largely justified by the confidence in their own ability to properly manage risk and the need to get their job done. And despite the experienced loss of data — most hold a view it won't happen to them.

This means when someone is asking about using their smart phone, they aren't they aren't seeking a simple answer of "no," or a regurgitation of policy. They got that part — and it didn't connect with them.

Most people know the policy prohibits these devices — but they don't understand why. This requires an explanation. And a lecture about why "smartphones are a security risk" — true or not —doesn't wash with users. So when they question the policy, they want to understand why the answer given is accurate; they want the explanation.

Asking for an explanation — or otherwise seeking the why — is not always about defiance or a challenge to authority. Regardless of how it may seem, the approach may be the only way to gain the insight needed for the answer to make sense.

Questions are the catalyst to conversations; conversations are the key to understanding — and that works both ways. So when people ask a question, consider it an opportunity to begin a conversation.

Understanding the question guides the "answer"

While the ability to determine when someone wants an answer versus an explanation is developed over time, a good way to start practicing is to ask. When someone asks a question, listen to the question, and if it seems appropriate, ask, "Do you want the answer, or the explanation?"

Sometimes the answer is easy: they are pressed for time, and they simply want the answer. Or they know they want the explanation. Either way, the simple act of taking a moment to ask and understand the intent behind the question has started the process. And that's what matters.

Sometimes, when someone asks a question, they don't actually know that they seek the explanation. In that case, it helps to ask some additional qualifying questions, provide a brief answer and see where the conversation leads. This is about depth, breadth, context and purpose. Sometimes, the straight answer is the right approach — but delivered in a way that opens the door for an explanation later.

Here is the challenge: being good at something doesn't mean you're good at explaining it.

While giving an answer might be easy, explanations often require a bit more though and a few different skills. It is important to practice this skill, as explanations can be mutually beneficial:

" Sometimes we find out we weren't talking about the same things and gain the ability to get "back on track" " Often when explaining a concept, we realize elements in a new light and improve our own understanding (I find the more I explain and share, the more I want to share and explore)

The ability to explain a concept to a peer doesn't necessarily equate to being able to explain it to someone without the same experience and knowledge base. Cultivating this skill requires some practice across five key areas:

  • Listening to what is being said, and what is left unsaid
  • Asking probing questions to assess the context and find a connection
  • Learning when to provide answers, explanations and the combination that works
  • How to break down and explain information tailored to the need of the audience
  • The confidence to admit something isn't known, and the commitment to go find a suitable answer

So when someone has the courage to ask the question, we can choose to create a safe environment for them and guide them with answers, explanations or both. This leads the way to the conversations that matter most where no one is a fool.

About Michael Santarcangelo: The author of Into the Breach and creator of Awareness that Works", Michael Santarcangelo is a catalyst that advocates for individuals while advancing organizations. By connecting individuals to the consequences of their actions, he delivers results that reduce risk, increase resiliency and allow organizations to more with less. Guaranteed. Learn more at www.securitycatalyst.com or engage with him on twitter.com/catalyst.

Join the discussion
Be the first to comment on this article. Our Commenting Policies