Bridging the Gap Between IT Security and the Corporate Office

Posted: 18th December 2014
Bridging the Gap Between IT Security and the Corporate Office

Editor’s Note

Woody is the founder of Weathered Security. He helps companies meet information security challenges that aren’t just hard technologically, but also can be hard to clearly communicate outside IT as urgent business problems.

Example: Why should executives care about masking the electronic signatures of devices? What’s at risk if they do nothing? If they choose to reduce this risk, what approaches are even worth an evaluation, and why?

In this blog post, Woody breaks down the value of straight talk about complex IT problems.

You just left another briefing with the CEO. The lost blank look on his face convinced you not only was nothing you told him understood, but that additional funding you wanted for equipment is not coming. How can the people in charge of a company refuse to listen to such a valid argument about security? If this sounds familiar, then you have failed to bridge this gap.

Your message was simple; you need to get an IDS that can use an ACL to monitor MACs and give alerts if they are cloned. That statement (although very basic) may not portray the same message to the room that you think it does. For example…

IDS: Intrusion Detection System (IT), Individual Deployment Site (Military), International Development Studies (Business), Integrated Defense Systems (Boeing)

ACL: Access Control List, Allowable Combat Load, Allowable Cargo Load, Administrative Civil Liability

MAC: Media Access Control, Macintosh, Military Affairs Council, Military Airlift Command, Managed Account, Multiple Award Contracts

You may have just stated you’re attempting to use an individual deployment site and have the allowable cargo load standards monitor the supplies that are taken to a Military Air Command terminal. You can see how this could become confusing. The point is that language is very important in communication.

Know Your Audience

When I taught medicine it was important to use words, not acronyms, to describe a condition. Then simplify the six syllable Latin-based terms in a manner the average person could understand.

Example of Complex Explanation: Your Anterior Cruciate Ligament has exceeded its biomechanical limits; this may have also affected O’Donoghue’s Triad. Radiographic studies will be needed for assessing and evaluating any Differential Diagnosis.

Example of Simple Explanation: You have injured your Anterior Cruciate Ligament (ACL); it’s located in your knee. This injury may have also affected the other ligaments so an MRI is going to be needed to get a picture inside your knee joint. These ligaments help keep your knee stable and it’s important to evaluate all possible injuries.

Knowing your audience is the key to gaining their trust and respect. The simple explanation did not frustrate patients. The choice of words can alienate a group of people or empower them. Let’s go back to the original statement and word it differently. It will be a few seconds longer but will give clarity that the audience can visualize.

The IT department needs to invest in a new intrusion detection system (IDS) which will allow us to protect our network by knowing when cyber attacks are attempting to penetrate it. This IDS can allow us to set up Access Control Lists (ACL) these control list will allow the company to monitor what Media Access Control (MAC) addresses are present. The MAC address is like a license plate for devices that are on the network. Some devices will have more than one. Just like a license plate they can be spoofed or faked but it’s almost always done for nefarious activities. The system we want would allow the network to know if someone was trying to access controlled areas of our system by faking the MAC (or license plate) of a device that should be on the network.

This is a very basic example but the principles are the same. Do not speak over their heads. Do not use acronyms without saying what they mean. Talk to the audience and relate it to things that can be easily visualized. This will make it easier for non-technical individuals or groups to begin learning the network and what the dangers are. This method will stop the rolling of eyes and dull blank stares of boredom. The A-type personalities that lead corporations are not going to stop you to ask questions if they think it will make them look uneducated.

Getting What You Want

Remember it’s not a CEO’s job to speak tech, it’s your job to speak a language they understand. My background began as a knuckle dragger. That term means a lot to me and I wear it as a badge of honor. It also means I’ve been intimidated by computers before and had to learn from basics. If you can’t remember what it felt like to be intimidated by the cyber world, you may be forgetting the average person doesn’t know the difference between WPS and WPA2. It doesn’t mean they can’t understand it. It only means they have not had it explained to them. The moment you can explain this to them is the turning point that will get them on your side and in their coffers. It’s much easier to pay for something you can visualize and understand.

This article is designed to help bridge the gap between IT security and the corporate office. The ability to speak to an audience and engage them as individuals is one of the best tools for succeeding at getting what you want.

This does require a comfort level at speaking to people and relating to them in a way that makes them want to listen. For those of you who are not comfortable engaging people in conversation, this is a sticking point that needs to be worked through. I’ve got a multitude of tricks and lessons to help with this but that is for another article.

Good luck and I hope this helps. Please note I’m still a knuckle dragger, I just drag them across a keyboard now.