This article provides tremendous advice concerning a vital component of IT security often overlooked and ignored. To simply state the obvious – communication is key. Yet, in the world of IT security, we very quickly get lost in a sea of technical jargon and alphabet soup acronyms. Technical speakers often get their audiences lost in the weeds of the “how’s” and “why’s” a security control is needed or a risk is eminent, yet those same speakers never realize anyone is lost because they alone hold the map and never look back.
We as IT professionals need to understand our audiences and their capacity for understanding and reason. Technical controls and eminent risks should be translated into real world examples and practical analogies. We need to be succinct, clear, and timely in our comments. We need to choose our conversational battles and not find ourselves perpetually holding an umbrella while ranting as the sky falls around us.
And above and beyond all of these things, we need to shut up from time to time and truly listen. We need to hear what management teams and end users have to say. We need to ask for and receive with a decent modicum of humility constructive criticism about what is working in the security practice and what might be a significant hinderance to business success. There is always more than one way to tackle a problem, and though many of us have our favorite ways of doing things, those favorite approaches do not hold exclusivity when it comes to what is right for any given business environment.