Now that I’ve covered the first incident that pulled me into security communication and shown how infosec and crisis communication intersect, I’m happy to move on. Too often, communication is only used in infosec when there is a crisis. Communication has a lot more to offer than just crisis management and, when used properly, it might help reduce the need for crisis communication, or make the crisis communication easier. In this post and a couple to follow, I’ll be discussing some of the non-crisis areas in which communication can be helpful to security professionals.
A current buzz term for infosec. It’s definitely not a new conversation but it seems to be gaining momentum lately. Most of the lists either imply or blatantly state the importance of communicative skills for security professionals. These communication skills are tied with basic professionalism to advocating solutions and incident response. In conversations I’ve had at conferences, these skills also extend to patience and empathy when dealing with end-users. Most people think they are good at communicating and, having taught public speaking, I can say that most people are OK but there’s always room for improvement. Simple coaching or training can make a world of difference. A big caveat to that is the training should be tailored to the specific instances and contexts in which the communication will occur. While there are some common threads, the communication skills needed for working with end-users and the C-suite have serious differences.
Value and ROI
I was inspired to include this section by an interaction between Melanie Ensign (@iMeluny) and Stephan Somogyi (@thinkpanzer) on twitter not too long ago. Melanie pointed out that PR as a field has a lot of experience having to show value for “non-tangible” services. Both PR and security can be seen as money better spent elsewhere, particularly to newer, leaner organizations.
The major tip from PR is to align the benefits of security and privacy with corporate goals. How does security help the corporation achieve objectives? There are a variety of corporate objectives that security and privacy can be framed as supporting. Most corporate objectives are tied to reputation or brand identity and, by extension, profits. Breaches/hacks are bad for reputation. The important steps to this are 1) providing evidence that the current security stance increases the likelihood of a crisis 2) explaining how a breach would negatively affect the corporate brand (this is a good time to partner with PR/marketing) and 3) successfully arguing that the proposed spending/software/personnel/etc. will reduce the chances of a breach happening. These steps aren’t arbitrary. They’re from risk communication, the next area where communication can support security.
PR practitioners and security/privacy professionals have a type of expertise that isn’t necessarily understood widely. Undergraduate PR courses actually spend time discussing how PR professionals describe what they do, what they offer. With security that expertise is seen as almost magical. It’s different from PR but the underlying issue is consistent enough that lessons from PR might be helpful. For both PR and security, the expertise required might be something that’s forgotten or devalued from time to time but organizations depend on it for success and are quick to turn to (or on) when something goes wrong. If you can highlight the unique skills and, more importantly, how they need to be used consistently and not just at a time of crisis, and if you can back it up with evidence (statistics, comparable cases, anecdotes), you can increase the chances something like this doesn’t happen, hopefully.
Risk communication is a pretty robust field of research and practice. It’s heavily focused on health but takes what’s called an “all-hazards” approach. The goal of the research is to develop recommendations that can be applied to a variety of situations. Risk communication focuses on achieving behavioral change to alleviate threats. The first step in this process is to make your audience accept that there is a threat and it affects them. This can be done through statistics or comparable cases - next post is going to dive into this in more detail. The main gist is that people are terrible at risk assessment and, to make threats real, you need to know what is persuasive to your audience. Think about their needs, values, experiences, the corporate culture, etc. This can come down to individual personality and you’re always better off convincing people with whom you’re familiar but there are some standard appeals like presenting it in terms of lost operational time or impact on bottom line. Once the threat has been made real, you have to tell people how to alleviate the threat. That brings us over into another sub-area of risk communication, preparedness. Preparedness is really just a step in risk communication but I wanted to tease them apart here.
Your audience - whoever they are - has accepted that they are at risk. The next step is behavior change, simple enough, right? No? Well, in that case, let’s talk about efficacy. Efficacy is “the power to produce an effect.” For risk communication, efficacy has two prongs: self-efficacy is the judgement of whether one can actually perform the recommended action (can the company afford your recommendations, does the patient have the time to do the recommended exercises); response efficacy is whether or not the recommended actions will actually alleviate the threat. Both of these are judgments that can be pushed in a particular direction using communication.
Note: Totally alleviating the threat isn’t always possible so some preparedness communication has to be framed in terms of mitigating the damage. It’s best to be honest about these situations. If the focus is on reducing damage, don’t give the false impression that the solutions offered can prevent the crisis from happening altogether. That’s a great way to lose trust and make it that much harder to achieve behavioral change in the future.
These are just a handful of ways that communication can be used in non-crisis situations for infosec. Granted, two of them are crisis-related but, ask some crisis scholars and they’ll say there’s no such thing as “non-crisis,” just pre-crisis. I wouldn’t say that I follow that philosophy but effective communication makes an immense difference when a crisis hits. I plan to expand on all of these areas of communication in future posts but wanted to give an overview first.
Covello, V. T. (1992). Risk communication: An emerging area of health communication research. Annals of the International Communication Association, 15(1), 359-373.
Palenchar, M. J. (2010). Risk communication. The Sage Handbook of Public Relations. Sage: Thousand Oaks, CA, 447-460.
Reynolds, B., & Seeger, M.W. (2005). Crisis and emergency risk communication as an integrative model. Journal of Health Communication, 10(1), 43-55.