I've been fascinated by the difference between what one person writes, says, or does and what another person reads, hears, or perceives. Consider a situation we have likely all encountered: We are on a work call where one person shares some information, such as, "Project XYZ is on track and expected to be completed on time by the end of the calendar year." It is quite common that at some point during the call after that statement is made, either someone will ask, "What is the status of Project XYZ?" or someone will incorrectly repeat what was said (e.g., "Project XYZ will not be completed on time by the end of the calendar year").
While this may be frustrating, there is not much we can do about it other than try to understand that people sometimes do not receive what was shared with them, but rather something different entirely.
Moreover, security professionals can learn an important lesson as well. As we work to mitigate risk and improve the security postures of our organizations, we must remember that regardless of how effective we are or how hard we work, the perception of our work matters more than the work itself. We can either embrace this reality and work with it, or reject the truth and hurt our security programs by not working to ensure that others correctly perceive our full value.
I've come up with a few possible reasons why reality is the way it is. It is not an exhaustive list, of course. Here are seven reasons why people sometimes receive a very different message than we send, and how we can compensate.
1. People Don't Read
It may be hard for those reading this article to believe, but some people just don't read. Regardless of the medium (email, text, chat, document, presentation, etc.), we as security professionals simply cannot rely on people reading what we write. This is important to remember when engaging important stakeholders.
Workaround: Even if we've prepared and shared read-ahead materials, and despite multiple communications on a topic, there's no guarantee that the audience is up to speed. Thus, we need to walk a fine line between rehashing old points and ensuring everyone is starting from the same understanding. It is a challenge that, if handled well, helps security teams move forward their strategic initiatives and get their messages out.
2. People Don't Listen
Sad but true. I'm sure we've all been involved in meetings or discussions where we feel like we've made our point or shared some piece of information five times, yet some people still heard it. While this is frustrating, it is, unfortunately, reality.
Workaround: We need to prioritize the information we communicate and remain focused on continually communicating the most important pieces of information through a variety of means and media.
3. People Build a Picture Based on Assumptions
Some people tend to make assumptions when they lack facts and knowledge or don't fully understand what is actually going on. The trouble starts when people don't realize they are doing this and truly believe they understand the whole picture.
Workaround: As security professionals, we need to provide the necessary data points for our stakeholders so they can form an accurate picture of what is going on. Allowing them to piece together an inaccurate picture based on assumptions can harm the way our security programs are perceived and hamper our ability to make progress.
4. People Confuse Facts and Opinions
In the movie Inside Out, the character Joy says, "Oh no! These facts and opinions look so similar!" This has proved true in my experience. To some people, the difference between fact and opinion is clear, but others see no perceivable difference.
Workaround: It is important to document the truth. As a quote often attributed to Mark Twain so accurately captures, "It's easier to fool people than to convince them that they have been fooled."
5. People Aren't Logical
Few things frustrate logical people more than people who are not. They don't draw conclusions based on facts, evidence, or logic, but instead on what makes sense to them, how they feel about a topic, and what they think is true. Security professionals who don't understand this often miss the signs that show that is why they're encountering resistance.
Workaround: Understanding our audience and what is driving their conclusions can help us address misunderstandings.
6. People Don't Use Occam's Razor
Occam's razor is a philosophical principle that posits, "Of two competing theories, the simpler explanation of an entity is to be preferred." As security professionals, we often see Occam's razor in the context of simple yet elegant and effective solutions. Unfortunately, some people are not calibrated this way, and they have trouble getting to the most logical, simple, and straightforward explanation or solution.
Workaround: Sometimes we need to help our stakeholders get there in order to help ourselves. Be patient and try explaining yourself in a different way.
7. People Don't Have Good Judgment
We all know the saying that "there are two sides to every story." But sometimes one side is just plain wrong. Even so, it is difficult for some people to see that because they have poor judgment (at least outside of their main expertise).
Workaround: We cannot rely on the judgment of others when it comes to security. We must be explicit, clear, and concise in our guidance, explanations, and requests.
In an ideal world, if we act or communicate clearly, we would expect that people received that act or communication clearly with its intended meaning. Unfortunately, we do not live in an ideal world — instead, we live in the reality where perception is what matters. By being aware of this and adjusting our delivery accordingly, security professionals can more effectively show their programs' value and thus more effectively improve their organizations' security posture.