Watch Your Language: In Cybersecurity, What You Say and How You Say it Matters a Lot

People have studied the impact and importance of language for centuries–and for good reason. Nothing in life is accomplished without clear communication between people, organizations, or countries. And much of the value of good language is personified by one’s ability to use it to ask important questions–especially when it comes to cybersecurity.

My favorite quote about language comes from anthropologist Jane Goodall:

“What makes us human is an ability to ask questions–a consequence of our sophisticated spoken language.”

Dr. Goodall may have never conceived of the application of her philosophy in a world of dramatically expanding cyber risk, but the need for clear, concise, and actionable language has never been greater for business executives, cybersecurity professionals, and board members. In fact, without an enhanced emphasis on all forms of language–verbal, non-verbal, and implicit–cybersecurity efforts will fail to accomplish critical goals because the involved parties will be misaligned, confused, and frustrated.

Three articulate points of view on the importance of language in driving cybersecurity solutions come from Navigating the Digital Age, Second Edition. The authors–all experienced and respected cybersecurity leaders–have focused on language as a catalyst for enhanced cybersecurity practices and outcomes because they all recognize that our industry no longer can survive the growing chasm between technical risk and business outcomes.

To be certain, much of the responsibility for developing a commonly understood and consistently applied language on cybersecurity risk falls on the shoulders of the Chief Information Security Officer. “It is not the responsibility of the CEO or the board to come to you and tell you want they want to know,” said James Shira, who leads cybersecurity efforts at a leading professional services organization. “It’s on you.”

Of course, the onus for creating and using a common vocabulary does not rest solely with the technical leadership: Business executives and board members must help bridge the gap by ensuring the CISO understands the desired business goals and by articulating needs and risks in business language, such as revenue, profits, customer satisfaction, and enhanced competitive position.

In many cases, this partnership between the business and technical leaders must take the form of empathy and trust, built on a foundation of common language. “The hallmarks of a great relationship are trust and confidence,” said Brad Arkin, Vice-President and Chief Security Officer at Adobe. “Without an open, honest, and two-way communication between the technical and business leaders, empathy will be impossible to achieve. And without a relationship built on empathy, progress toward optimal cybersecurity readiness will be fleeting, at best.”

Few, if any, business leaders would dispute the notion that cybersecurity is a business problem. As such, it’s logical to assume that everyone agrees that a CISO who addresses an executive  committee or board member with technical jargon, buzzwords, and acronyms isn’t providing valuable input on a critical topic. Who cares where a DDoS attack started or what endpoint it exploited to get beyond the firewall? There are far more important questions to address:

  • How long has our online sales engine been down?
  • When are they going to be up again?
  • What do you project our revenue losses to be?
  • How will this affect our quarterly earnings forecast?
  • Do we need to disclose this as a material event in our SEC filings?

If your CISO doesn’t speak to you in this kind of language–and if business leaders don’t ask these types of questions–your state of risk will always be elevated.

One approach that business leaders need to work closely with their CISO and other technical leaders is building a cybersecurity language around evidence–the most relevant and up-to-date facts and metrics that shape what CISOs say to business leaders.

“Too often in the past, security professionals have largely told the story of fear,” noted Mischel Kwon, CEO of MKACyber, a managed security operations provider and security consulting firm. “We have also told the story of right and wrong, black and white.

“We know security professionals need to change the way they talk to business leaders, because we need to gain the trust of those leaders. We need to participate in this conversation, and to do that, we have to take an evidence-based approach to those talks.”

By “evidence,” Kwon is referring to quantifiable threats and risks that are posed in terminology familiar to business executives. “Messages must be expressed as ‘use cases,’  rather than the scarier term of ‘attack type,’” she said. “The CISO and their team must avoid discussing fear-inducing things that are irrelevant to the organization’s business models and threat profiles.”

Hard data, fueled by automated tools, machine learning, and other next-generation technologies, arm the CISO and the business leaders with actionable insights on what steps to take to detect, prevent, and remediate the impact of risks. But as important as evidenced-based language is in this process, there also are important non-verbal expressions of language that business leaders must pay attention to.

For instance:

  • Does your reporting structure convey a message to the organization that cybersecurity is a critical business imperative, or that it is a technical implementation overseen by the IT department?
  • Who reviews and approves the cybersecurity budget proposals and investment recommendations?
  • Do the CISO’s colleagues and peers treat cybersecurity leadership and the SecOps teams with respect and collegiality, or do they see the security function as a roadblock to meeting business goals, especially in an era of DevOps?
  • Does the CISO accept the challenge to “operationalize” cybersecurity as part of their core mission, or do they focus on the technical fixes?

Finally, business leaders and cybersecurity executives will often find themselves in a meeting where the omnipresent question comes up: “Why?” Business leaders must create an environment where the CISO understands they have to be prepared to support their recommendations or requests with well-thought-out and articulate business logic.

“(A CISO’s) answer to ‘why’ must be concise, sober, and grounded in business benefits that are in lockstep with the organization’s strategic goals,” according to Shira.

“If not, freshen up that resume.”

Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.