Hi folks,
A few years back, I headed to an unnamed state that’s famous for its BBQ. As a fan of all such things (consuming, not producing), I made a beeline for the first BBQ joint I could find upon landing.
As I stood in line waiting to order, the guy in front of me became agitated. It sounded like he thought he didn’t get what he ordered and couldn’t get the woman on the other side of the counter to understand. Eventually he yelled “DO. YOU. UNDERSTAND. THE. WORDS. I’M. SAYING?!” Things got awkward, the woman walked away upset, and the man remained angry and was asked to leave. Nobody was happy.
A short time later I was at a client site, presenting to a Fortune 50 CISO and her team on the awesome job we were doing. We had been struggling for a long time to communicate the value of our services to clients – clients who were paying lots of money for us to detect threats in their environment. We had tried quantifying the number of threats detected, number of hits reviewed, aggregate risk ratings for those threats… nothing really resonated. This time we thought we’d found the right metric – the reduced time an attacker had in the environment based on the speed of our detection.
Our client was unimpressed.
She was kind, but clear. She said “That’s great, but I can’t do anything with this. I may inherently understand the value, but I can’t take this to the board and have them care. I need something expressed in terms that they care about – money.”
It’s a lesson our field needs to learn. Security doesn’t happen in a vacuum – it’s an inherently collaborative effort. And when we turn to our partners for assistance, we need to speak their language, understand their motivations, and communicate in terms that resonate with them. Do we need to be an accountant to talk to a CFO? No, but we need to acknowledge that they’re not a security professional and that the minute we use the term “buffer overflow”, we’ve lost. Otherwise we risk being like the angry BBQ guy – isolated and hungry because we refused to adjust our communications.
Rex