Every Security Decision is a Business Decision. Communicate Accordingly. 

Your trajectory in the cybersecurity field has been a little non-conventional. 

True - I started in the world of academia, focused on endpoint security. Cutting my teeth on cybersecurity in a university setting was both good and challenging. Higher education is a little bit of a mishmash of technology and data, and you have to be creative with how you solve problems because there is very little funding yet you’re responsible for a lot. And, there are an insane amount of regulations. Plus, you’re responsible for security for a whole array of people; from faculty working on research who want unfettered access to everything, to students living in dorms. So it’s a mix of regulated data and research data, and you get exposure to a lot of different attacks and incidences. You’re responsible for all of those access points and making sure they don’t get breached.

How did that experience prepare you for leadership roles in the private sector? 

Because I had to communicate (as a then-young person) with PhD professors about why we need to do certain things to keep everyone secure, I had to really up-level how I communicated. That taught me the importance of communicating in the language and context of my audience. In academia, you don’t have a big stick - you have to persuade people why security matters, in contrast with a corporation that may have policies and controls and a broader understanding of the importance of security. These are critical communication skills for anyone working in security to develop, as early as possible. That’s why when I’m interviewing and hiring people, I am always willing to talk to someone with experience in academia. It’s a great foundation for learning the importance of looking at the big picture, including how to tie security to individual and organizational goals.

The need for security experts to understand the business they’re working on seems to come up a lot these days. Why is that?

I approach it this way: every security decision is a business decision. And getting your hands dirty in some of the fundamental aspects of business - things like budgeting, managing contractors, etc. is really important to succeed in security today. It helps you understand why decisions are made, often several levels above you. Sometimes security folks want to buy a $50k control to address a $5k risk. In my career, I’ve intentionally taken roles that exposed  me to business strategy, to be the bean counter, and think about where we can align security with the business to  be more efficient. 

Why is it sometimes challenging for security experts to learn business communications and use it to grow their career in cybersecurity?

The industry tends to value strong technical skills, which can make it hard - because when you’re a technical person, it’s like “a pipe is leaking, we need to patch the pipe” - and then move on. They have a lot to do. Yet, we also need to give people the creative space to think strategically and learn about the business side so they can step back and think about the why of security: why isn’t this program or strategy working? Otherwise they can get stuck in a rut or they lose confidence because decisions are being made by the business that impact security and they don’t understand why. Then they can feel like, “I’m not going to try because they are not listening to me.” It boils down to giving people the ability to be creative, get more training, etc. At the same time, it’s the responsibility of security leadership to communicate the business rationale to their teams.

I previously had a role that sat between customers and their 27/4 security monitoring teams. So I took all the business skills I’d learned up to that point to help partner with customers on their planning and strategy, help them mature their programs, and give them the ammunition they needed to present to their Boards and leaders. Learning and using these skills isn’t really rocket science, but the lack of business communication skills can have an outsized negative impact on your career. 

What are three things you wish every security professional would remember as they try to grow in the industry and improve their communication skills?

1. Don’t assume people know what you know. You need to figure out a way to communicate to business leaders in a way they will understand. And don’t assume a “no” today is a no tomorrow. Things change so much and so fast in our field - we really can be new employees forever.

2. Complete the circle. If something goes wrong or you hit a roadblock, don’t just move on. I know everyone is busy but it’s important to close the loop, especially if something didn’t end up the way you hoped. Do a retro and share with others what happened - what were the influencing factors here? What can we do better next time?

3. Invest in communications and business training. You need to learn to communicate succinctly across the organization, particularly to business partners and leaders. Maximize your elevator pitch to match their priorities. And that requires pre-work. Don’t just walk in with your idea for your one control and hope to get a green light. Tie it to the big picture of the overall business.

Personally, I continue to learn and grow my communications and planning skills. I recently took Discernible’s “Decision Making as a Team” trainings and left with a matrix and a framework to document how decisions are made. It was cool because the mapping out and documentation is a great way to show people how you got to where you are. It is a kind of receipt. It closes the loop and keeps the trust. Getting expert training like that can really help, no matter how long you’ve been in the industry. I’m learning something new all the time.

Check out all of Discernible’s communication trainings here.