The Communication Theory of Resilience: 5 Tips for Security & Privacy Organizations

Angel fish at Cuevita, Tulum - photo by Melanie Ensign

Angel fish at Cuevita, Tulum - photo by Melanie Ensign

There is a lot of contemporary discourse about resilience, inspired by years of collective crisis, local and global unrest, and personal suffering. It is difficult to feel stable and not burn out.

A number of communication theories and research studies dive into the factors behind the seemingly unstoppable terribleness of things; like the rise of the attention economy, systemic racism and social injustice, polarization, and misinformation. But I want to focus here on what we do next. How do we move forward together as teams, organizations, and communities? 

A decade before 2020 became the year that would never end, Patrice Buzzanell, now Chair and Professor of the Department of Communication at the University of South Florida, proposed a new way of understanding and explaining how communication processes can help people reintegrate after difficult life experiences such as disruption, loss, trauma, or disaster. She called her proposal the Communication Theory of Resilience

The theory is rooted in Buzzanell’s belief that rather than being an “individual phenomenon that someone either possesses or does not, resilience is developed, sustained, and grown through discourse, interaction, and material considerations.”  

Yet, major stressors that impact security and privacy teams are complex and unfold over time. So, different strategies may be more effective at different stages of the process and in different contexts. For example, disruptions caused by poorly managed security incidents may be brief but jarring, often leaving security teams to lick their own wounds in fearful anticipation of the next one while the rest of the company quickly moves on. In contrast, the loss of a trusted leader or colleague due to the extremely short talent retention periods in infosec points to something more systemic beyond any single organization.  

The Community Theory of Resilience offers five communicative processes through which resilience can be developed and nourished: 

  1. Crafting normalcy or being able to talk normalcy into reality

  2. Affirming identity anchors or the stories we rely on to define who we are in relation to others

  3. Maintaining and using communication networks, or building and utilizing social capital

  4. Reframing or finding new ways to look at a triggering event

  5. Validating negative feelings while focusing on positive emotions, such as hopefulness and self-efficacy

In my experience, security and privacy teams are typically dealing with simultaneous changes and concerns. A breach is never just a breach; it’s long hours, intense pressure, interpersonal conflict, and self-doubt. I wrote about some of that here

Similarly, for most privacy teams the grueling intensity never seems to show any signs of slowing down; whether it’s jumping in front of a speeding train to stop the latest product disaster from flying out the door, or the ever-present high expectations with insufficient resources. These experiences wear on our teams, and leaders need to step up to build and sustain resilience among their team. 

Something that comes up routinely in our work at Discernible is the need for teams to build these communicative processes before their teams face difficult experiences. A good strategy for change management should include similar considerations; but as incident response teams know, trying to build the relational and procedural infrastructure while responding to a triggering event is always more difficult and less effective than being proactive. 

Building on Buzzanell’s framework, below are the five communicative processes from her theory, translated into everyday strategies for security and privacy teams to build stronger, longer-lasting resilience. 

1. Make efforts to maintain your and your team’s sense of normalcy, and be open to creating new routines and adapt.

No one fights change like engineers and lawyers, and for understandable reasons. Without reliable infrastructure or legal precedent, it would be even harder to manage security and privacy projects. But might I suggest that a healthy sense of normal includes confidence in our ability to adapt. Procedures and requirements may change, so anchor your sense of normalcy in how you treat each other and your willingness to step outside your comfort zone to protect something you value.  

2. Celebrate your identity.

Yes, you’re the security or privacy team for Acme Co, but who are you really? What are the characteristics and qualities that form your viewpoint and decision-making? Anchoring your identity is about more than knowing who you are, it’s also about setting consistent expectations. Mission statements and written values mean nothing if you don’t live them. Everyone on your team should be able to articulate your shared aspirations, principles, and priorities -- and demonstrate them through their work and interactions with others.  

3. Establish strong communication networks and stay connected.

Your team needs trusted communication channels, norms, and procedures that can support the needs of different situations and contexts. People need to know where to look for critical information, how to get help, and which notifications they can ignore during a stressful situation. A matrix of available channels, recommended use cases, and a prioritized SLA for each is a helpful start. 

4. Look for silver linings (& hidden levers).

So your CSO doesn’t report to the CEO yet. Where else can they earn and exercise influence to improve life for their team? Where can team members build relationships with cross functional partners to make security outcomes a shared goal? Talk about these opportunities frequently and openly as a team. You have more power than you think.

5. Acknowledge when things suck and be proactive about moving forward.

Losing a trusted CSO, being on-call during a Sev1 outage, being treated as the clean up crew for other teams, not being consulted about decisions that directly impact your work -- all of these things suck, and they’re common among many security and privacy organizations because we’re not proactive enough about shaping our own normalcy before bad things happen. 

Previous
Previous

Exercising Influence as the Security Team: Look for Friction Not Just Fuel

Next
Next

Sincere and Effective Apologies