Suits and Ponytails: Why the two tribes in corporate cybersecurity have a communication problem (and how to fix that)
Folk wisdom has it, that the different tribes in many companies often have difficulty talking to each other. And this old folk wisdom may not be that far from the truth, according to some fairly recent research.
The upper management tribe (‘the suits’) and IT security specialist tribe (‘the ponytails’) turn out to have quite a different outlook on corporate cybersecurity…
Some examples:
According to this 2015 survey, corporate boards often are blissfully unaware of cyber threats. Most board members (59%) think that their company’s security measures are effective. But among security professionals, only a small minority (18%) agrees with them. Often, board members do not know of recent data breaches in their company. Only 23% of the board members reported that their company had been breached, while the majority of security professionals (54%) stated that this was the case. A significant minority of board members didn’t even know whether their company had suffered a breach (18%).
Only 23% of the board members reported that their company had been breached, while the majority of security professionals (54%) stated that this was the case
Many board members report a limited knowledge of cyber security. Only 33% of board members think that they have an accurate understanding. 41% that feel they have inadequate understanding and 26% says they have minimal or no understanding at all. Many security professionals agree with them: This 2014 survey finds that 48% of security professionals think board-level executives have a sub-par understanding of cybersecurity issues. A staggering 80% says that their executives don’t seem to realize that data breaches often boil down to losing revenue.
The board may not be well-informed, but security professionals also don’t do a very good job at communicating these matters.
This 2013 survey reveals that 59% of security professionals filter out negative information before talking to their CEO and upper management. Many security professionals rate communication with the boardroom floor as poor or nonexistent (47%). They think that the board won’t understand what they say anyway, because the subject matter is too technical (61%). Many security professionals don’t even try anymore, or only talk to the C-suite when a really serious security issue shows up (64%).
Many security professionals rate communication with the boardroom floor as poor or nonexistent
These are just a few dry statistics. But they say a lot about how these two tribes talk past each other and it is not hard to imagine how this may cause feelings of frustration in each tribe.
The ponytails
Let’s start with looking at things from the perspective of the security tribe.
The security people believe that their managers, (who know far less about computer security than they do), often ‘just don’t get it’ and seem more concerned with costs than they are with security.
Imagine having to defend a pile of grain against vermin. This pile is only protected by an earth wall around it, about half a meter high. When you try to explain to your superiors that you’ll at least need a shed with a roof on it to keep the vermin out, they will give you this really blank stare. They have no idea of what vermin is, nor any concept of things like piles of grain, earth walls and roofs. And when you are done explaining, they say something like: ‘We’ll make the wall ten centimeters higher, but that’s all we can give you. This roof thing you talk about is way over our budget!’
Security people believe that their managers often just don’t get it
Since it is your job to protect the pile, the finger will be pointed at you when mice and insects nibble away at the winter supplies. And with a roofless wall, vermin will be creeping in all the time. So you don’t report every single mouse dropping you find, because then, your bosses would think you are the worst pile protector ever.
Therefore many security specialists aren’t eager to tell the suits what’s really going on. And because these suits don’t know what’s going on, they tend to look at things from quite a different perspective.
The suits
For upper management, the security department is a department you don’t really feel a connection with. Undoubtedly, the security department does useful work, but they never say to you: ‘Hurray, we completed this project! Come take a look and see how cool it got!’
You only hear from them when they want something from you.
Then they’ll pop up in your boardroom, asking you to buy this super expensive software suite. And yes, they want that installed throughout the entire company network. Or they want everyone in the company to comply with some new ‘security protocol’. And somehow, this always boils down to another set of annoying rules that make it harder for everyone to do their job in a proper manner.
They give you this long and technical story, laden with terms like ‘port scan detection’ or ‘network layer protocol’. No one really understands it. No one asks for clarification either (these super smart IT folks probably think you’re a dinosaur, when you ask them a stupid question). But apparently, this story implies that the company must hone their request, or else! Something terrible will surely happen. These horror stories do not really impress you, however. These security geeks see hackers around every corner, but to the best of your knowledge, your company has been doing just fine, over the last few years.
They give you this long and technical story, laden with terms like ‘port scan detection’ or ‘network layer protocol’
Yes, you understand that this new thing will be useful to them. But sometimes, these IT guys lose sight of the bigger picture. They need to understand that you, as a manager, have to make choices. You have a business to run and your resources are limited. Other departments have their wish lists too. So, enough is enough.
The misunderstanding
And so, when the meeting is over, the security team wanders off, once again, reinforced in their beliefs. They think that it’s useless to talk to their executives. They believe that ‘the suits’ only worry about the costs of everything and that these people can’t seem to get in their thick heads that good security actually will save them money. Lots of money!
But how can the suits have this realization, when they have no clue about the number of pests out there? When they seldom hear about the amount of grain saved each day, thanks to the efforts of the security team?
And so, when the meeting is over, the security team wanders off, once again, reinforced in their beliefs
It’s a vicious circle of misunderstanding. Is there a way for these two tribes to get off their respective islands and find each other again?
The solution(?)
This company whitepaper offers some suggestions for a way out, with different recommendations for each tribe.
For the board members, the first step would be to get educated about cybersecurity. Often, security people try their best to provide a clear explanation of what they are doing. But it is very difficult to talk about roofs, piles and vermin in a comprehensible manner, when the audience lacks a basic understanding of those concepts. To address this knowledge gap, boards can appoint new members with a technical background, or take an introductory course in cybersecurity (or they can do both, even better!).
Boards also need to realize that security does not only concern the IT department. The security crew needs the cooperation of the whole company. One can’t expect them to keep everything safe if the other departments ignore all standard safety practices, or when management isn’t willing to spend money on a proper shed. Another thing boards must accept is that there is no such thing as 100% safety. Security people will never be able to stop all the threats. There simply are too many of them.
Often, security people try their best to provide a clear explanation of what they are doing
So if something goes wrong, that does not necessarily mean that the security department has messed up. Boards should make sure it is clear for everyone where the responsibilities and accountabilities lie, so that the security people can report incidents without having to fear negative consequences.
There are also a few recommendations for the security tribe.
Security people need to learn to speak ‘business’. Often, they will present their plans as a technical solution to a technical problem. But their audience consists of executives, not technicians. If they want to get a message across, it would be more effective to frame the story in the context of the board: What does the board need to know, why this is important to the board and what is expected of them.
Also, security people should try to connect security with specific business goals. This will make the subject matter more concrete and more relevant to board members. Think, for instance, of a family business that has a positive public image of being a reliable company. Here, security people could emphasize that thorough security measures will reinforce that cherished positive image.
If something goes wrong, that does not necessarily mean that the security department has messed up
And of course, the security tribe needs to be more communicative about what it does from day to day, so the ‘suits’ can understand what the security department is doing and why that is important.
Of course, reality always is more difficult and messy than the ‘key recommendations’ in a shiny whitepaper suggest. But people need to start somewhere, and cynicism is certainly not going to help here. Trying to look at things from another’s perspective just might.
Do you want to learn how to build data security into your company’s DNA? Download our Seven habits of Highly Secure Companies for free now!
