Many years ago I was involved in a discussion with a partner in a global legal practise. At the time I was explaining my thoughts on the future relationship between the law and information and IT security. After a few drinks he was talking about how they had recruited a Cambridge graduate with a 1st in Jurisprudence. However even with all of their knowledge and their obvious intellectual prowess their future was destined to be mediocre compared to their potential.
Their weakness lay in their inability to communicate effectively and this is something that over 12 years I have seen widely across the information security industry. The irony is that many security professionals have a ready source of experience and skills in the field of communications within their own organisation.
The marketing department understands its customers. What are their concerns, how do they like to be communicated with, what the content of that communication should be, how to most effectively listen to clients needs and record these.
An information security professional should ask themselves these questions about their customers whether they be their line manager, Board or other stakeholders. If you fail to communicate effectively the business case for investing in information security you’ll generally fail to see your organisation implement the measures you want implementing, you’ll waste a lot of time and feel unrecognised.
Here are 6 of my recommendations if you are struggling to get your message across .
1. Don’t sign up for another information and IT security course. Go on a report writing or communicating course.
2. Ask to see a successful proposal drafted internally for your Board. What made it a success and what can you learn from this?
3. Just as businesses profile customers you need to profile your customers. How do they like to be communicated with, how should the content be structured, when should you communicate and how often?
4. Get some marketing and communications reading to add to your security library.
5. Ask your customer what they want? There’s nothing worse than the false sense of security that comes from security reports which mean nothing to the reader. Don’t tell customers what they can have, ask them what they want.
6. Go speak to your marketing department about effective communications. And remember communication is a two way process.
On a final note, whenever I have engaged with colleagues, outside of information & IT security, recognising their expertise and experience, and asking for their help in addressing the barrier of successful communication, I have generally found them willing and a new convert to the cause and at the very minimum more aware and better informed.