Tailoring infosec communication: Five scenarios
Last post, I went over two methods for understanding or segmenting your audience. The first was based on the influence you have over your audience - why are they listening to you in the first place?
Required to listen
Someone else told them they had to
Based on these, here are some scenarios and how to tailor your communication to that audience:
Scenario 1: A (work) friend asks how they can be more secure (affinity).
Now, this might be due to legitimate interest in security or just affinity. If it's more affinity-based it will likely be framed as "tell me about what you do," rather than "tell me what I need to do." Affinity is great to start a conversation but it can lead to polite listening rather than active listening. They're listening because they want to learn about you, maybe not security. You might be able to sense this if their eyes glaze over once you get too specific or technical. If you can't tell whether they're just being polite, assume they are.
This type of audience won't necessarily be thinking about how what you're saying applies to their lives. So you have to draw that picture very clearly for them. Get them from polite listening to active learning. Model the behavior - "let me show you this helpful thing (app, tactic, what have you) that I use" and explain why you use it, making sure it's a reason that will resonate with them.
Scenario 2: Intervention with a problem employee/end-user (Structural reasons).
This is most likely to be a one-on-one interaction and the person is listening to you because either you outrank them or someone who does told them to. This can easily turn into an adversarial conversation. Try to head-off or defuse that by framing the conversation as you trying to learn from them - you want to understand their situation so you can make sure the security can protect them best. Find out what's preventing them from being secure and think of how to get them around it - use efficacy. Also make sure you have support and buy-in from higher-ups. Not just for the intervention generally but for specific courses of action. If you can, bring references as well - "I helped so-and-so with this, maybe it'll work for you too."
Scenario 3: Conversation necessitated by regulation "are we X compliant?" (check box).
This conversation isn't started because the person wants to be educated about security. They want to hear "yes." You have to find a way to get as much information across in the time the other person has mentally allocated for the conversation. This is one of the tougher scenarios. You might have to just respond with "that's not a simple question, do you want to set up a meeting to discuss it?" Not that we all want to have more meetings but you're trying to get the point across that security isn't a simple yes/no question. Complicating this is the fact that the people asking this type of question will most likely equal to or above you in power/authority. Whether and how much that impacts the interaction really does depend on organizational culture and personality. If you can pull it off, your best bet is to hold off on answering the question until you can do it in a more structured setting.
Scenario 4: Required security training for employees (Someone else told them they had to).
This is the situation with which I'm most familiar. My background is in education and training. In some ways, this can be your best case scenario because it's structured and planned. You have time to prepare and can follow an outline or script. You don't have to remember best practices during an off-the-cuff conversation, you can have them right in front of you. Also, these are typically mandated trainings so you know that people will actually show up.
The downside to this is that your audience probably isn't psyched to be there. You'll probably have some friends and/or legitimately interested people in the audience but you need to play to least interested in the crowd. With a reluctant or captive audience, your first step should be to build affinity or trust. Both are great but trust may be easier if interpersonal or public speaking skills aren't your strong suit.
Trust can be built through displays of expertise - they just have to trust that your recommendations are good not necessarily trust you to borrow their car or whatever. Show them your expertise - why are they listening to you, why were you picked to give the presentation? The word of caution here is to make this display of expertise accessible. Don't list off degrees or certificates that have no meaning to your audience - explain what experiences you have that make you an authority on the topic in terms that they understand "I have X cert which means I studied this thing so much my eyes bled" or "I created this program" or "I'm in charge of security" etc.
I like to build affinity through humor, self deprecation, and shared misery but everyone has their own flair. I used shared misery a lot when I taught public speaking - "I don't want to be here at 8am either but here we are." Draw connections and similarities between yourself and the audience - we like people who are like us. Make them a bet or a deal, give them a treat - if they feel like you've given them something, they will feel compelled to reciprocate. Even if that reciprocation is just their attention, it's a win. Telling a personal story is a great way to hit multiple points at once. You can build affinity and trust by sharing something personal and you can use the story to educate.
Scenario 5: Manager or executive watched the news (fear).
"I saw such and such on the news, could that happen to us?" or even better, "Do we have a blockchain?" The key with this sort of conversation is that they're talking to you to assuage their fears. They want to hear "we're good, no need to worry." Even if you're not good, even if there's a lot that can be improved, you need to comfort them. If they feel worse after speaking to you, they won't do it again. As much as it might be cathartic, you can't just list everything wrong. Give them a small cookie for at least asking.
Tell them how the specific thing they're worried about doesn't apply to the organization or tell them one thing that the organization does well. "There are some things we can do better." If you have a wishlist proposal ready in advance you get the cookie. You should be waiting for this conversation - for the executives to realized they need to do more for security and ask how to do it.
Encourage that sort of behavior regardless of who is doing it. Anytime someone shows an interest in security, they should be encouraged. Try to think about their motivations for asking to tailor your response. If they heard about a new technology that's totally inappropriate for the organization, redirect to something actually useful from your wishlist - "Yes, that's super cool. Have you heard about this though?" Match enthusiasm with enthusiasm, reassure them if they're afraid.