“The solution is not buying another server, it’s having better communications.”
A Q&A with DEF CON founder and CEO Jeff Moss on the value of security communications
You once said that, “80% of the problems we have as a security industry are communications problems. We can fix this. Communication is a soft skill that leads to better technical outcomes, period."
Can you expand on that?
With both DEF CON and Black Hat, it seemed like every time we ran into a problem, it was almost always a communication problem. There are so many moving parts and so many teams involved, if you weren’t really clear with your communications up front, it was like a game of telephone. People would take the last thing they heard and run with it. It was never malicious, but without deliberate communication and clarity, people were off to the races. And by the time you find out you have a problem, it’s expensive and harder to fix. It could be anything - from what to put on a conference badge to technical requirements for a product. When we would finally get to the bottom of the problem, it was usually because communications weren’t clear.
I have looked at the costs of these types of problems and realized the solution is not buying another server, it’s having better communications. That would solve 80 percent of those issues. And that is a hard problem to solve, because you have to change both how people communicate and how you listen. And that means sometimes you have to dig deeper and ask a lot of questions to uncover what is really going on.
How can this approach help security leaders?
If you never spend the time to ask questions or understand the needs of your stakeholders, you’re not going to deliver the work they want, or you’re going to over report or underreport. One of my first jobs was to scope professional services for a security consulting company. And I learned that you could be a great pen tester, but ultimately what the client was paying for was the report - and if you weren’t clear or you didn’t understand what the client wanted, your report wouldn’t meet their expectations. And what is the report after all? It’s all communications. What did you find? Why is it important? Did you put it in the context of their business? I learned that the difference between a good pen testing company and a great one was the report writing.
And it’s not a skill many of us were taught in school and it’s not an engineering discipline. When we tried to find people to write test reports, we ended up finding people from the humanities. They could learn the technical details. It’s harder to find technical people and then teach them to be good communicators, but somehow Melanie has figured out how to do it - and that’s what her team is doing at Discernible.
You’ve been in the security world for a while. Have you seen greater awareness for the importance of communications?
I’ve noticed that often when companies do table top exercises they don’t normally exercise communications in my experience. It’s focused on the technical response. It’s rarely asked, “How do we use this opportunity to demonstrate transparency and commitment?” I’ve advised governments and the question of what you reveal, and when, if an incident happens isn’t often asked. When something goes wrong, I’ve observed that people tend to either panic or twiddle. Even if you are legally mandated to report an incident, that doesn’t mean you’re necessarily good at it. Waiting until you’re in the thick of an incident is the worst time to try to learn on your own.
When I was at ICANN, there was a problem with our rollout of new top level domain names. We had the technology in place to handle the issue, but we didn’t really have security or incident comms ready to deal with the fallout. That’s when I got firsthand experience watching news reports coming in and realizing these communications aren’t PR, or marketing - it’s different - and I remember thinking, “are we really going to hand this off to someone who doesn’t understand the industry or the issues?’”
I think that recognizing the value of security comms, whether you're in a crisis or not, is still a rare skill. You have to recognize you need specialized comms support and then you need to have the right people to do it. I think that’s where Melanie was so helpful with DEF CON. She’s been close to the flame in a lot of security comms situations. If an incident or situation came up, the technologists in us would want to over-explain, and Melanie taught me that half the time, an issue burns itself out, and half the time you are misinterpreting what the core issue is. I’ve learned valuable lessons from her.
What was it like working with Melanie on DEF CON over the last 10 years?
First of all, I love how Melanie has pioneered incident and strategic security communications. She really is an expert in this space and one of the first to understand the specialized nature of it. And I’ve found Melanie to be a really great advocate for different audiences. You may be thinking you know what audience you need to address, but she will point out what audiences you’re overlooking. And she has a lot of experience dealing with the press and understanding the individual players, and how to gauge the impact of a news story and when it made strategic sense to engage with the press or not. That’s second nature for her.
Internally, working with all the various players at DEF CON, she understood each of the players and their different sets of needs, from social media to the business leaders. She was really good at keeping us focused on what is important. The lessons we learned at DEF CON from Melanie are still with us today - her expertise is durable and not transactional. We have definitely leveled up from working with her.