Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/14/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Love Languages of Cybersecurity

When it comes to building buy-in from the business, all cybersecurity needs is love -- especially when it comes to communication.

When most people, including the majority of us in the industry, think about cybersecurity, "lovable" isn't the first word that comes to mind. Cybersecurity has a "dark arts" reputation that conjures up images of shadowy hackers in hoodies slouched behind their laptops, out of sight from the rest of the organization except when it's time to serve up stern warnings to scare folks into staying safe online.

Of course, much of that is by design. Cybersecurity isn't an industry built on approachability; it's known for building digital barriers to protect networks, data, and devices. But leading with FUD (fear, uncertainty, and doubt) won't get you far with key constituents at your company. In my experience, when it comes to building buy-in from the business, all cybersecurity needs is love — especially when it comes to communication.

That's where love languages — the five ways people express and experience love — comes in. The idea is that effective communication with loved ones means ditching a "me-first" mindset, so we understand their needs and act accordingly. The same is true for security. We can't have a "cybersecurity-first, business-second" mindset. We have to right-size security to each facet of the business so that we understand how each one operates, and how we can best support them. On Valentine's Day, I thought I'd share how these five love languages apply to cybersecurity and the teams we interact with.

The Love Language of Touch: Engineers
Let's be clear. Your engineers — whether they're in product development, DevOps, or in your data center — aren't looking for a handshake or a hug. But they do want to feel like you're helping with the heavy lifting as they build code, instead of slowing them down. They're not here to educate you on engineering. Security needs to care about the code down to its core. The more technical context you can provide, even the lowest-level details about an exploit, the more confident engineers will feel as they build. It's not enough for security to show up and say, "We have a SQL injection here. Fix it." We need to explain the risk and offer enough details to solve it.

The Love Language of Quality Time: Legal Team
Besides security, no one quite appreciates and understands risk quite like your legal team. They have deep knowledge of the foundational principles of risk and how they translate to liability. So they want to sit down and solve problems with a team that not only translates the technical side but also understands and appreciates the value of compliance. They want a trusted adviser who can spend the time with them to home in on what the risks really are, how likely they are to happen, and frame them up in terms of controls. Say, for example, you want to run a bug bounty program. Cybersecurity should be prepared to discuss how it's safeguarding data, and the processes put in place to make it a safe and secure testing ground.

The Love Language of Acts of Service: Marketing and BizDev
These teams care deeply about the impact cybersecurity has on customer experience, especially when friction is introduced into the product because of security controls. For cybersecurity, the why is important here, but so is the how — as in, how is this going to affect the people who use our product? Let's say a security team wants to introduce a captcha. They need to explain why doing so will keep customers secure, but also how to go about it in an uncomplicated way so the customer doesn't have to jump through more hoops than necessary.

The Love Language of Giving and Receiving Gifts: C-Suite
Your top leadership is most interested in the top risks the company faces. Cybersecurity's job is to prioritize those risks by contextualizing them within the business, and then determine when the company needs to take action. The gifts you give the C-suite are a map and GPS. The map is an understanding of the geography of risks; the GPS is a recommendation of what path to take. If the C-suite, for instance, asks about where it should allocate engineering resources, cybersecurity can't answer as an entity unto itself. It needs to put business needs first so leadership understands the trade-offs of each scenario and arrives at the best decision possible.

The Love Language of Words of Affirmation: Board Members
This isn't about telling the board what they want to hear or sugarcoating the truth. It means providing them with context and information that enables them to give sound advice and hold the company accountable to the decisions it makes. Speaking to the board means educating them on trends and patterns to develop informed opinions. If you're a CISO presenting enterprise risk to the board, do more than explain what you're working on. Talk about how you plan to address issues and how long it will take.

The universal language of cybersecurity is why but how you communicate that why varies with each group with whom cybersecurity engages. Cybersecurity can't just hide behind its hoodies or expect people to comply with its policies just because it says so. It needs to share the love and meet people where they are, in a way they understand, to build buy-in and gain trust.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Fredrick "Flee" Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.