Why Cyber Teams Should Invest in Strong Communicators

COMMENTARY

Cybersecurity is a discipline filled with hard problems. Cybersecurity professionals are charged with protecting a rapidly evolving technology landscape from adversaries that are not constrained by profitability, productivity or employee privacy — and they need only a single security control to fail for them to be successful.

Today's cyber landscape requires an organization that can swiftly discover, discuss, and mitigate risks while also driving a culture of security that ensures every employee understands their role in protecting the organization. Curating a security culture that swiftly abates risk requires a cybersecurity team of excellent communicators.

Effective communication is foundational for fostering a security-conscious culture within an organization. Cybersecurity staff must possess the ability to clearly articulate complex technical issues in a manner that is understandable even to nontechnical stakeholders, including executives, managers, and employees across various departments. Simplifying technical language without losing the essence of the message ensures that everyone is on the same page regarding the nature of threats and the importance of security measures. Clear, concise, and jargon-free explanations help demystify cybersecurity, making it more accessible and less intimidating to the average employee.

Security teams must be adept at active listening. This involves not only understanding the concerns of and feedback from different organizational units, but also identifying underlying issues that may not be immediately apparent. By actively listening, security professionals can gain valuable insight into potential vulnerabilities and areas where security protocols may need reinforcement. This two-way communication fosters a sense of collaboration and trust, which is critical for a security culture to thrive.

Cybersecurity teams must also communicate effectively with external stakeholders, including clients, partners, and regulatory bodies. Transparent communication about the organization's security posture, incident response capabilities, and compliance with industry standards builds trust and confidence. In the event of a security breach, clear and honest communication is crucial for managing the situation, maintaining customer trust, and fulfilling legal and regulatory obligations.

Clear Communication Is a Human Skill

Communicating effectively about security topics absolutely requires a base level of technical knowledge. Understanding the output of a vulnerability scan requires understanding the packages involved, the systems impacted, their external exposure, and the necessary mitigation steps to assess the effort it will take to resolve a vulnerability.

However, when facing a hiring decision between two candidates, both of whom have the requisite technical skills to interpret the output, choosing the one who can more effectively communicate the impact of the vulnerability scan will mitigate the risk at hand better than the candidate who can execute the remediations. Additionally, the ability to articulate complex technical concepts in clear and understandable language is crucial for fostering collaboration among various customers and stakeholders, ultimately enhancing the organization's overall security posture.

Advancements in technology have also lowered the technical requirements within a number of cybersecurity disciplines. Continuing with the vulnerability management example, validating findings used to be a massive time sink, requiring deep technical knowledge of an infrastructure. However, with recent disruptors in the vulnerability-scanning space, some scanning platforms can now discover network topology, access controls, secrets management, and more without the need for manual control. This has resulted in technology platforms being able to contextualize vulnerability findings, prioritizing those that pose the most risk based on Internet adjacency and other factors.

This has lowered the technical requirements for people tasked with managing vulnerabilities within an environment. It is now more important for them to be able to explain the risk of a vulnerability to the engineering team responsible for patching than to rank the risk of a vulnerability themselves. A solid communication of risk, in a language that the system engineer responsible for patching will understand, will result in lower times for vulnerabilities to live.