Blah, blah, blah: Cut the security jargon

There continues to be a disconnect between security practitioners, their bosses and people from other business units. Language continues to be a big factor.

That’s one of the messages in George V. Hulme’s latest article: “The business-security disconnect that won’t die.” George captures the problem from two sides.

First, the security practitioner who can’t catch a break:

“The IT security profession is always looking for ways to get into the requirements and design phases of a new application or initiative. But we’re often not brought to the table until the actual initiation of the project. Unfortunately, by then, there’s little we can do because the architectural standards are gospel in the requirements. Also, there’s little that can be done at that stage to improve security design without increasing costs tremendously.”

Then, the perspective of someone on the operations side:

“Often, when we bring IT security into the system design functions, all we hear from security are roadblocks about why things can’t be done securely. They’re often overly technical, way too early in the discussion, when talking to the business side.”

Both of them make valid points. But I’m not certain that these folks are really trying to understand each other.

One problem is that there are security practitioners out there who truly believe it’s not their job to talk to an exec in his or her language.

One fellow said just that during a podcaster’s meet-up at the 2010 ShmooCon conference. In response, my friend James Arlen got up and told the guy, “That’s why you’re not the (expletive deleted) boss.”

Arlen was right.

Security pros should know by now that language is hugely important. If you’re not willing to take the time to turn jargon into words others can relate to, then it could stunt your career and ensure that serious security needs are not met.

My colleague, Joan Goodchild, wrote a good article last year called “7 communication mistakes CSOs still make.” Three points from that article deserve mention here, since they tie into the main point:

Neglecting to relate security to everyone

Lorna Koppel, Director of IT Security with Wisconsin-based manufacturing firm Kohler Company, believes everyone in an organization, not just the security team, needs to understand how security is working for them. That means listening to user pain points and creating solutions with that in mind.

In a recent initiative to implement an identity management solution, Koppel and her team focused on issues users with having with the existing infrastructure before going forward.

“Issues like getting access quickly, synchronizing passwords, and allowing them to use applications less frequently without losing access. By looking at all those things, we made their work easier.”

The result was giving users one place to go and synchronizing all passwords across multiple applications. Koppel said while the new system wasn’t the platinum standard from a security perspective, it significantly bettered the security situation throughout Kohler. That’s because while users only had to have one password, it was required to be a strong password, something many were neglecting to use before.

“Now when I sit down with people throughout the company and tell them I’m the person behind it, they say ‘Oh, you’re the one!’ and are usually very pleased,” said Koppel. “If we can solve problems for the user, we can also give them tighter security controls and they don’t mind.”

Failing to understand cultural differences

Roger Dixon, Head of Information Security with global investment-management company Invesco Ltd., is responsible for a security department that spans the world.

“My team is scattered around globe,” he explained. “When communicating you always have language challenges. And every region is under different pressures within that position.”

Dixon said culture differences mean his messages need to be conveyed in multiple ways to avoid offense or misunderstandings. A message that maybe straight forward in North America would be seen can be seen in an entirely different light in other countries. A one-size-fits-all approach will cause problems, he said.

“You may have improper activity, a policy violation, occurring somewhere in the business and you need to put out a message to address that,” he said. “In North America you could get away with a ‘cease and desist’ message to stop the activity. But a ‘cease and desist’ has a slightly different connotation when you use it in the UK. In the UK they would see it as a legal term. To employees there it could be seen as the IT security department putting on airs with a legal term for a simple policy violation. Where you can get away with a stronger term in the States, it doesn’t necessarily go over in other cultures.”

Dixon said it is paramount to draw upon employees within different regions to help communicate in an area-appropriate fashion.

Failing to make the business case for security

As security’s profile in business has risen significantly in the last decade, so has the CSO/CISO’s status among executives. But Dixon said despite the increased emphasis on security, executives and employees alike glaze over when technical talk begins. Folks outside the security department are simply looking for someone to give it to them in terms they can understand, he said.

“They expect to bring a security question to security and get an answer that relates to the business, not how it relates to IT. You need to be able to present and bring security across all areas of the organization.”

Dixon said he finds the most success when he takes the approach of simply explaining to others what risk they face, and what the potential outcome might be for not taking the path security lays out. Koppel echoes Dixon’s thoughts and said she is always working to convey the message that security understands the bigger picture of business.

“We are looking at all business processes,” she said. “We’re not just putting in a firewall and trying to prevent them from doing what they need to do.”

The lesson here and in past articles seems to be that, when relating security risks to people who aren’t security experts, simplicity goes a long way.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a