Breaking down cybersecurity communication barriers
- By John Davis
- Oct 27, 2016
Those who’ve seen the 1967 film Cool Hand Luke will undoubtedly remember this famous line from the prison warden (played by Strother Martin) directed at the stubborn criminal named Luke (played by Paul Newman): “What we’ve got here is a failure to communicate.”
Over my many years in military and government organizations, I frequently thought of this phrase when addressing the challenges of translating complicated technical jargon to senior leaders who may not have been so technically savvy. In fact, I found that converting the technical information provided by my cyber threat intelligence, cybersecurity, and information technology teams into something meaningful for senior decision makers was an extremely valuable skill that managers should learn.
I also found that it was important to use such translation opportunities to educate senior leaders. These teachable moments allowed me to provide guidance and background on the intricacies of the cyber world and the technological aspects associated with the dynamic nature of cyber threats and the information environment itself. These explanations are important because, while tempting, relying on non-technical analogies can sometimes lead to bad decision making. The cyber environment is truly so unique that most analogies tend to fall apart at some point. It’s much wiser to instead help leaders gain a deeper understanding of “tech talk.”
It’s also critical to use these translation sessions in the reverse direction, to help educate technical teams about how to communicate with senior leaders. Technical teams must be able to facilitate decision making at the leadership level, regardless of the topic, cyber or otherwise. The more that technical teams understand the language and drivers of decision making within the organization, the more efficiently and effectively they can provide the assessments and recommendations that result in sound decisions by leadership.
Let me give you an example of the translation challenge and how I approached it. When I was the director of current operations at U.S. Cyber Command, my cybersecurity team might have said something like, “We had a penetration of the XYZ network through an SQL injection that exploited a known unpatched vulnerability.” The cyber threat intelligence team would follow that with, “We believe this was BLACK HORSE based on the use of a malicious domain associated with previous attributed intrusions and hallmark TTP for C2 and lateral movement to ABC enclave.” And finally, the IT team would add, “ABC enclave is where MNO data is stored unencrypted and the cache is inaccessible due to scheduled maintenance.”
These teams certainly knew their stuff, but none of this technical information would be useful in a report up the chain of command to senior decision makers. Ergo, the need for translation, which begins by understanding the kind of information decision makers need.
To make sound decisions related to security incidents, non-technical leaders want seven essential issues addressed:
- What is the operational impact to our organization resulting from what has happened (or how has the incident affected operations)?
- What is your assessment of the severity, scope, scale and consequences of this incident?
- What are we doing now to isolate the problem and limit the consequences?
- Who have we coordinated with and who else needs to know (those impacted or at risk, or those from whom we may need help)?
- Are there any reporting criteria this incident may have triggered?
- What options are available?
- Are there any timing considerations that may impact decision making?
As you can see reflected in these seven elements, it’s not about what’s happening at the technical level that’s driving the decision-making process at the most senior levels of the organization. Effective risk management and decision making is about being able to translate the conversation to what’s happening at the organizational level and the consequences for the mission (and for the business, as well).
It’s also a much easier discussion than the awkward conversations that can happen when leaders doesn’t know what to do next because they don’t understand their technical teams’ concerns. Instead, it gives non-technical leadership the ability to contextualize a very technical situation within the broader mission impact to facilitate wise decision making and effective action.
While the anecdote shared here involved the military, it’s important to remember that issues regarding cybersecurity and communication apply to any organization, public or private. By answering these questions up front, the technically focused teams can communicate more effectively and efficiently with their leadership, resulting in optimal decisions and action.
John Davis is vice president and federal CSO at Palo Alto Networks.