In cybersecurity you’re never very far from someone who is prepared to give you good advice, he said without any sense of irony. What makes anyone’s advice “good?” If its accurate and meaningful its good advice.
Good advice is made better if it is based on experience, and one of the best ways to communicate that experience is by using real-world examples – sufficiently anonymized – to drive home the point that this particular advice worked for a company very much like yours, so it should work for yours. Nothing gets people fired up like war stories.
But there is a problem with this approach, and that’s the lack of recognition that in many ways our examples are based on companies that are anomalous. They may be similar in very meaningful ways, but the fact that they brought you in to fix a problem makes them a part of a fairly small fraternity of organizations that recognized they had problem to begin with, and were willing to do something about it before things went sideways.
We know this to be true because its 2017 and the only difference between a news report about a random company’s security failings published today and one published 10 years ago, is the victim and the byline. We’ve been handing out good advice for years, it’s just not resonating widely enough. How do we, advice givers, get our messages to resonate beyond those who ‘get it?’ and across the expanse of a given industry?
The answer is by focusing on business principles not security objectives. Companies want to increase revenue, maximize profit, reduce costs, and eliminate inefficiencies; no CEO gets rewarded by the board for reducing vulnerabilities (at least for now, anyway). If you cannot effectively communicate how what you’re proposing makes your client a better business, your advice is going to be ignored or pushed to the right (until it is too late, at which point they’ll be asking for a different type of advice).
Cybersecurity is complicated enough as it is. To have to further translate things into another language only makes things more difficult. But it is what we have to do if we hope to have a serious impact on the problems we face. We have plenty of technology. We have tried and true methodology. What we lack is sufficient adoption, and to a wide extent that’s on us.