Professional development

Are your communication skills holding your information security career back?

Susan Morrow
May 20, 2019 by
Susan Morrow

Learn Reporting and Communication

In this course, five videos take you through the details of reporting and communication. This skills course covers

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

⇒ Post-report activities

⇒ Report writing

⇒ And more

Start your free trial

Introduction - Going Beyond "Talking Techie"

Back in 1999, the Mars Climate Orbiter came to a crash-and-burn end. Why? Because there had been a serious miscommunication concerning the units of measurement used in the calculations. One team was producing and calculating in United States standard units, while the other was working on the metric system. The two sides had not communicated well, and the result was a literal disaster.

People who work in the technology sector often worry about not being technical enough. Sometimes it feels like you have to “talk techie” to be taken seriously. However, our industry has been plagued with a lack of good, clear communication in years past. We should be worrying about the ability to communicate effectively.

This concern has opened a debate around the need for soft skills. Soft skills typically refers to non-technical skills, such as being able to communicate across multiple team disciplines; being able to work with team members effectively; and even being decisive. Other skills, like problem-solving and being able to communicate these ideas, come under the soft skills umbrella as well.

Before we continue, a quick note. Instead of using the term “soft skills,” I will continue this piece using the phrase “communication skills,” as this is what it all really boils down to.

The softer side of cybersecurity

The field of cybersecurity has changed a lot in the last 25 years. There is certainly much more of an emphasis on the human factors used by cybercriminals. But this is not really what the use of communication skills is about. Communication skills, both spoken and written, are becoming more important. But why is this so?

A report from the University of Baltimore titled “Skills and Characteristics of Successful Cybersecurity Advocates” came to some interesting conclusions. One of these was that there was a lack of recognition that the industry was, actually, service-oriented, and good communication was therefore crucial. The paper pointed out that there needed to be a “dialogue about how the cybersecurity community can augment current security and education efforts to develop these [cybersecurity] advocates”.

While the study accepted that technical understanding was needed, this has to be augmented with great communication skills, being able to “sell” cybersecurity being key. What does “selling security” mean? Well, it involves being able to clearly communicate the benefits that having a security-aware organization brings. If you are a security professional, at some point you will have to be able to promote the ethos and importance of cybersecurity across the board.

Communication skills are also likely to improve your chances of employment as more employers recognize their importance. A Tripwire report showed that 60% of employers look for good communication skills in IT security candidates.

7 communication skills that can help you boost your profile in cybersecurity

So what kind of skills are needed and how do you best address any gaps you might have as an individual in these areas? Below, I’ve outlined seven key areas to focus on:

1. Know how to write concise reports that are accessible to management

A good writer can convey complex subjects succinctly. Cybersecurity professionals need to learn how to communicate, often using highly technical details, in an accessible way. For example, you may need to sell security awareness training to the board to obtain your budget. It’s a testament to your technical knowledge to be able to clearly articulate ideas for a non-technical audience.

When I used to write technical user manuals, I would give them to my 12-year old daughter. If she could understand them and use the software they described, I felt that I had created a good user guide.

Test out how you describe cybersecurity ideas and issues on people who are not technologists. Work out the best language to use, what level of understanding to target and whether images can help. Use these findings when you create presentations for management.

2. Choosing which communication channel to use in different contexts

Sometimes, a picture is worth a thousand words. Know which type of channel to use to communicate. This also depends on who you are communicating with.

The use of visual tools such as Venn diagrams, charts and other graphical images can help convey dry metrics. Infographics are also a great way to show an at-a-glance set of related statistics.

When communicating security awareness issues like password hygiene to a mass audience, consider things like security awareness training posters.

3. Being assertive to get a point across

Being assertive is a very effective way to communicate. However, there is a fine line between being assertive and being aggressive. Assertiveness is easier if you have self-confidence. Assertiveness is about firmly presenting your ideas in a respectful manner.

One way to become more confident in yourself and your ideas is to truly understand your work. Spend time learning all about the area you work in and build your confidence; assertiveness will follow. As an example, if you have a view on something, using assertive methods would include evidencing your claims, bringing in advocates of your idea and clearly articulating it — an aggressive communication would try to force a view without evidence.

4. Communicating across the levels

As you progress through your career as a security professional, you will find you work with folks across all levels of the business. Security is a cross-department/cross-company issue. This will bring you into contact with managers of teams throughout the organization. Having an assertive manner and great written and verbal communication skills will help you sell security to everyone.

5. Learn to communicate technical concepts well

Being a good teacher is important in a cybersecurity landscape where human beings are a vector. If you understand a subject deeply enough, you should be able to communicate it so that anyone can understand it.

Effective communication of technical concepts does not mean that you should blind someone with science. The famous physicist, Richard Feynman set out to take the subject of particle physics and make it understandable to students with little background knowledge. Feynman said:

“When we speak without jargon, it frees us from hiding behind knowledge we don’t have. Big words and fluffy ‘business speak’ cripples us from getting to the point and passing knowledge to others.”

Remember language is about communication, not obfuscation.

6. Build your profile as a domain expert through good communication

You are your own advocate, so become so. Build your profile in your company and externally as being the person to go to about X, Y or Z. How you do this depends on your organization, but if you get opportunities to educate your coworkers, do so. This is a good way to practice your general communication skills.

Other things you can do to increase your profile as a cybersecurity guru:

  • Create a cybersecurity newsletter for internal employees about the latest issues — with a tip of the month
  • Do regular roundtables with department heads to go over security policies
  • Offer to do regular briefings on the latest scams and social engineering issues facing your industry

7. Be socially aware

And last but not least, dip into the social realm. Social media isn’t for everyone, but it can be useful. Use it to connect to other security professionals to keep up to date with the latest happenings in the cybersecurity world. You can also use it to build your domain expert profile by promoting your external work if you speak at conferences or write a security blog.

Conclusion

Many people who choose to go into the technology sector and cybersecurity specifically may well be more on the introverted side of the personality spectrum. I freely admit to being towards that end myself. However, being able to communicate across different channels is very important if you want to get ahead in the profession, especially if you want to move into any management position.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

 

Sources

  1. Haney, J.M., Lutters, W.G. Skills and Characteristics of Successful Cybersecurity Advocates
  2. Survey Says: Soft Skills Highly Valued by Security Team, The State of Security
  3. Assertiveness, Psychology Today
  4. Learning From the Feynman Technique, Medium
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.