Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

The 5 Love Languages of Cybersecurity

When it comes to building buy-in from the business, all cybersecurity needs is love -- especially when it comes to communication.

When most people, including the majority of us in the industry, think about cybersecurity, "lovable" isn't the first word that comes to mind. Cybersecurity has a "dark arts" reputation that conjures up images of shadowy hackers in hoodies slouched behind their laptops, out of sight from the rest of the organization except when it's time to serve up stern warnings to scare folks into staying safe online.

Of course, much of that is by design. Cybersecurity isn't an industry built on approachability; it's known for building digital barriers to protect networks, data, and devices. But leading with FUD (fear, uncertainty, and doubt) won't get you far with key constituents at your company. In my experience, when it comes to building buy-in from the business, all cybersecurity needs is love — especially when it comes to communication.

That's where love languages — the five ways people express and experience love — comes in. The idea is that effective communication with loved ones means ditching a "me-first" mindset, so we understand their needs and act accordingly. The same is true for security. We can't have a "cybersecurity-first, business-second" mindset. We have to right-size security to each facet of the business so that we understand how each one operates, and how we can best support them. On Valentine's Day, I thought I'd share how these five love languages apply to cybersecurity and the teams we interact with.

The Love Language of Touch: Engineers
Let's be clear. Your engineers — whether they're in product development, DevOps, or in your data center — aren't looking for a handshake or a hug. But they do want to feel like you're helping with the heavy lifting as they build code, instead of slowing them down. They're not here to educate you on engineering. Security needs to care about the code down to its core. The more technical context you can provide, even the lowest-level details about an exploit, the more confident engineers will feel as they build. It's not enough for security to show up and say, "We have a SQL injection here. Fix it." We need to explain the risk and offer enough details to solve it.

The Love Language of Quality Time: Legal Team
Besides security, no one quite appreciates and understands risk quite like your legal team. They have deep knowledge of the foundational principles of risk and how they translate to liability. So they want to sit down and solve problems with a team that not only translates the technical side but also understands and appreciates the value of compliance. They want a trusted adviser who can spend the time with them to home in on what the risks really are, how likely they are to happen, and frame them up in terms of controls. Say, for example, you want to run a bug bounty program. Cybersecurity should be prepared to discuss how it's safeguarding data, and the processes put in place to make it a safe and secure testing ground.

The Love Language of Acts of Service: Marketing and BizDev
These teams care deeply about the impact cybersecurity has on customer experience, especially when friction is introduced into the product because of security controls. For cybersecurity, the why is important here, but so is the how — as in, how is this going to affect the people who use our product? Let's say a security team wants to introduce a captcha. They need to explain why doing so will keep customers secure, but also how to go about it in an uncomplicated way so the customer doesn't have to jump through more hoops than necessary.

The Love Language of Giving and Receiving Gifts: C-Suite
Your top leadership is most interested in the top risks the company faces. Cybersecurity's job is to prioritize those risks by contextualizing them within the business, and then determine when the company needs to take action. The gifts you give the C-suite are a map and GPS. The map is an understanding of the geography of risks; the GPS is a recommendation of what path to take. If the C-suite, for instance, asks about where it should allocate engineering resources, cybersecurity can't answer as an entity unto itself. It needs to put business needs first so leadership understands the trade-offs of each scenario and arrives at the best decision possible.

The Love Language of Words of Affirmation: Board Members
This isn't about telling the board what they want to hear or sugarcoating the truth. It means providing them with context and information that enables them to give sound advice and hold the company accountable to the decisions it makes. Speaking to the board means educating them on trends and patterns to develop informed opinions. If you're a CISO presenting enterprise risk to the board, do more than explain what you're working on. Talk about how you plan to address issues and how long it will take.

The universal language of cybersecurity is why but how you communicate that why varies with each group with whom cybersecurity engages. Cybersecurity can't just hide behind its hoodies or expect people to comply with its policies just because it says so. It needs to share the love and meet people where they are, in a way they understand, to build buy-in and gain trust.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Fredrick "Flee" Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...