top of page
  • Claire Tills

Audiences of infosec communication: Internal or external?

There are a lot of ways to think about audiences of information security messages. Your relationship to your audience influences how you communicate with them. Why are they listening to you? Are you part of an internal team - are you communicating with your coworkers - or are you an external entity - a contractor/consultant? Is your audience internal or external - are they employees of the company or are they customers/clients/end-users/etc.?

Let's look at the pros and cons of the four relationships created by these two variables.

matrix: You are internal or external to the organization versus your audience is internal or external

I) Internal/Internal

Both you and your audience are employees at the same organization. This comes with several benefits.

  • Shared values - because you're working for the same organization, you're ostensibly working for the same high-level goals. You can appeal to these shared goals and values to build affinity and use them as proof points. Doing this will help us reach X goal.

  • Organizational knowledge - You're more aware of how things are done. You know who to talk to about specific issues, you know where there might be sensitivities, etc.

  • Possible to have slower-burn persuasion - If you and your audience are both internal, there isn't as much of a ticking clock on your efforts as there might be for a consultant. You want behavior change quickly, of course, but you can spread things out a little more. People won't feel as pressured to change and won't resent the efforts as much.

There are some drawbacks though.

  • Interpersonal friction, grudges, etc. - While it can be a benefit that you know the people you're trying to persuade already, it might also bite you in the ass. Even the best efforts can be totally blown by office politics. However, knowledge is power. You're less likely to stumble into an interpersonal quagmire, at least.

  • Institutionalized siloing - This is probably the biggest issue in my mind but I have a grudge against siloing. In many organizations, security and IT are heavily siloed so overcoming those barriers and building trust with your audience will take time and effort.

  • Structural constraints - When you're internal, you're more constrained by hierarchy, typically. There are going to be people who won't buy into the program and some of them will outrank you and that will be that. Ideally, you'll be able to get buy-in high enough up that you can trump any holdouts.

II) Internal/External

This is probably going to be part of a larger, strategic endeavor or program. This relationship might have a lot of variance to it - it could be a larger-scale campaign or it might be one-on-one communication with a customer POC. You might be working with current or prospective customers. So we're going to keep it generic.

Because you are still internal, all of the cultural/organizational stuff from above still applies here.

  • Support from other departments/teams - because this is focused on an external audience, it'll be appropriate or accepted to get assistance from others in the organization. I especially recommend working with public/customer relations and marketing teams. I recommend doing this for any communication but this will likely be the best opportunity to do it.

  • Guides and plans exist for this type of communication and you don't have to go it alone or totally reinvent the wheel.

However, there are some drawbacks

  • Can't force your audience to pay attention - While they might be more interested than the general public, their attention is totally voluntary and you'll need to earn it.

  • Might have to generalize - Depending on the diversity of the audience - and how much you know about them, you'll have to broaden your communication.

  • Too many cooks in the kitchen - on the flipside of the support you get from other departments, this communication will probably go through extensive approvals. This process can be very constructive but it can also be entirely soul-sucking.

When you're working internally, it's important to think creatively about what allies and resources you have access to. It's easy to take these sorts of things for granted - such as consistent access to your audience and a shared language.

III) External/Internal

In this case, you're an outsider coming in as an outside ostensibly to fix or change something. If you've already done consulting or contract work, none of these are going to be a surprise.

  • Because you were brought in for a very specific purpose, a certain level of buy-in is assumed. Someone fairly high in the organization approved your contract and they've paid you money. There's definitely a limit to this but it's a good starting point. It can also be used as support if you get any push-back.

  • More latitude to overcome bureaucracy - because you aren't part of the organization, you have more freedom of movement through the hierarchy. You can play the bad cop more easily.

  • Constrained time and access - because you're an outsider and likely on a contract, you aren't going to have unlimited access to people or unlimited time to persuade. You have to push a little harder

  • Have to build rapport - You don't have the same cultural scripts as an internal employee and are more likely to commit a faux pas. You're at much higher risk for stumbling face first into those interpersonal quagmires mentioned above. The balance of this is that people will likely be more forgiving because you are an outsider but you won't have the leg up of shared vocabulary and stories.

IV) External/External

This is definitely the toughest and rarest for security communication. However, it's fairly common in public relations. PR agencies communicate to a different organization's audiences, that's kind of their main job. So that's where you can look for guidance.

The key to communicating when you're an external force is that all of your efforts will be more structured and conscious. You'll have to plan the communication more because you don't have institutional knowledge to fall back on. You can't casually nudge people in the right direction while they're microwaving lunch or whatever - I mean, you can, but it might be weird. If you have the time, try finding someone to act as your sherpa - think of that scene in teen movies where someone gives the new student the low down on the lunchroom cliques

but without the gross stereotyping, hopefully. Learn as much as you can about your audience to make your communication more effective, no matter your relationship to them.

bottom of page