Rich, Adrian, and I are pretty lucky. We are bombarded by data coming at us from every direction. What’s working, what’s not, who’s attacking who, what new widgets are out there – and that’s just the tip of the iceberg. For an information junkie like me, it’s a sort of nirvana.
But absorbing all this information without being able to relay it to folks who need it defeats the purpose. Success in an analyst role comes down to talking to folks at the level and in the language that they need, to digest and use whatever you are telling them. I would expand the scope of that idea: being able to communicate is a critical success factor for any role. As I mentioned in my recent Dark Reading post (The Truth Will Set You Free), as an industry we aren’t very good at communicating, and this is a big problem as security gets a higher profile.
Far too many folks make generic statements about threats and controls, assuming their own perspectives work for everyone. Lonervamp points this out in the cold, harsh light of reality by dismantling a recent post on McAfee’s blog in smb security advice: don’t read this article. McAfee’s post allegedly targeted an SMB audience with Five Simple Steps SMBs Can Take to Avoid a Disastrous Data Breach. But its language and guidance were more appropriate to an enterprise reader.
LV did a great job discussing why each of their 5 steps were really ridiculous, given SMBs’ general lack of sophistication. Yes, that is another generalization, but it is generally correct in my experience. I’ll cut McAfee some slack because this came from their risk/compliance group – and they’re not really selling anything an SMB would buy. But that’s just one of about a zillion examples of how we screw up communications. This is vendor to customer communication, but both security folks talking to their organization (at both high and low levels), and consultants talking to customers, suffer from the same tone-deaf approach of figuring a single message works for everyone. It doesn’t.
I should know – I have screwed this up countless times in pretty much every role I’ve ever had. So at least I have a few ideas about how to do it better. I’m particularly sensitive to this because we are starting to spend many more cycles on Securosis’ SMB-targeted offering. It literally requires us to shut down the enterprise part of our brains (which the three of us have honed for years) and think like an SMB. At the end of the day a little reminder can make a world of difference: it’s about understanding your audience.
Really? Yes, it’s that simple. But still very difficult in practice. Which is why it’s important to sprinkle in industry vernacular if you are talking to a certain industry group. Why you need to focus on business-centric issues and outcomes if you speak to senior management. And why you need to keep things simple if you are addressing a group of small business people.
Again, if you are in an SMB, or you are a senior manager, or you work in a certain industry: please don’t take offense. I’m not saying you can’t understand generic language. My point is that you shouldn’t have to. Any person communicating with you should respect you and your time enough to make sure their information is relevant to you, and to consider their presentation rather than merely repeating what they say to everyone else.