Communication is a foundational component of all work in cybersecurity. Communication happens in many forms, written, spoken, and even non-verbal. It happens in large groups and small, sometimes it's real-time, and sometimes it's asynchronous. Communicating effectively is perhaps the most important soft skill in this framework. Everyone also carries past experiences, perceptions, ideas, and mental models. These things inevitably inform how people receive and interpret any form of communication.
There are numerous subsets of communication, each of which can be developed to improve overall. Some of the more prominent of these include:
- Writing skills
- Oral communication
- Presentation skills
- Active listening
- Nonverbal communication
Communication serves many purposes for people:
- To inform others of something
- To express feelings
- To influence somebody in a particular direction
- To collaborate with others
Communication is the bridge between two or more people. It is an essential ingredient to organizations and teams getting things done. Like any skill, investing in communication skills is necessary if an individual or a group wants to improve their outcomes.
Communication can help you no matter what role you work in or the seniority level you find yourself. The below list is far from exhaustive, but it's included to help you think through the various places where you can begin working on the different aspects of communication in your day-to-day life.
As a CISO
One of the CISO's primary job functions is evangelizing cybersecurity across the organization. This means different things to different people in different contexts. For example, it can mean:
- Effectively conveying the importance of cybersecurity measures to others
- Explaining the potential risks and consequences of not implementing security controls
- Summarizing complex technical concepts into something that non-technical stakeholders more easily understand
- Engaging with the public or the media during crises like a data breach
Effective communication is also a cornerstone in building relationships with other departments, such as the finance, HR, and sales teams. It takes a different form, but the same holds for external partners and vendors. As a CISO, it is essential to work closely with these groups. Security teams often work through other teams to manage risk. That can't and won't happen effectively without the foundation of a good relationship.
The CISO also acts as a figurehead for the cybersecurity culture within an organization. This includes educating others, engaging at all levels of the organization, being accessible, and striking the right level of transparency. In this process, people need to feel valued, heard, and empathized with, especially if cybersecurity has historically been a strain on others within the organization.
As a Pentester
A Penetration tester's job revolves heavily around finding vulnerabilities in systems, whether web applications, networks, cloud infrastructure, thick clients, or anything else. Finding vulnerabilities is essential. ItIt'sften the most highly prized and trained part of the job since technology constantly evolves.
If the penetration tester cannot effectively communicate the issues to teams needing to prioritize and fix them, then the risk needle doesn't move. Teams need to understand the problem, why it's important, how to fix it, and how the risk of the issue compares to other risks and priorities they face. An effective penetration tester helps to increase this understanding through the following sorts of communication:
- Active listening during the scoping and kickoff activities to make sure that the proper work is being done
- A well-written report once the engagement is finished
- An engaging readout call where questions can be answered and context provided
Empathy and patience are critical since the pentester's job is so heavily centered around finding what is wrong with work that someone else did. That can lead to defensiveness and a lot of self-justification. While understandable, it doesn't move the conversation toward the productive place of acknowledging and dealing with risk. As a penetration tester, navigating these responses with empathy and patience demonstrates a customer-centric mindset. It will ultimately help them more than they can probably realize.
As an Incident Responder
The basis of an incident responder's job is to help an organization, and its' staff, through one of the worst days of their professional career. The incident responder must call on all their technical prowess during this time. There will be scripts to write, PCAPs to examine, malware to analyze, and many more highly specialized skills needed to do your job. All that skill and hard work will be significantly minimized if you cannot communicate your findings in a way that non-technical people easily understand.
This communication will come in many forms:
- One-on-one verbal communications with peer IT staff to illicit help and share information on the status of the investigation
- Senior leadership briefings to communicate significant findings and results
- A clear and concise report of findings that contains enough technical detail to ensure it can be peer reviewed and also has an executive summary that communicates your results in plain-language
- Testifying as an expert in a court of law
- Listening, understanding, and empathizing with the business goals and objectives of the organization that was breached
The importance of working within the constraints of the business's objectives during a breach cannot be understated. Business owners and staff will be very much on g a breach, and the information from your investigation must keep flowing. Being empathetic to their feelings, listening to their goals, and keeping them informed, along with all your great technical work, will make you a sought-after commodity in the incident response business.