Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/14/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Love Languages of Cybersecurity

When it comes to building buy-in from the business, all cybersecurity needs is love -- especially when it comes to communication.

When most people, including the majority of us in the industry, think about cybersecurity, "lovable" isn't the first word that comes to mind. Cybersecurity has a "dark arts" reputation that conjures up images of shadowy hackers in hoodies slouched behind their laptops, out of sight from the rest of the organization except when it's time to serve up stern warnings to scare folks into staying safe online.

Of course, much of that is by design. Cybersecurity isn't an industry built on approachability; it's known for building digital barriers to protect networks, data, and devices. But leading with FUD (fear, uncertainty, and doubt) won't get you far with key constituents at your company. In my experience, when it comes to building buy-in from the business, all cybersecurity needs is love — especially when it comes to communication.

That's where love languages — the five ways people express and experience love — comes in. The idea is that effective communication with loved ones means ditching a "me-first" mindset, so we understand their needs and act accordingly. The same is true for security. We can't have a "cybersecurity-first, business-second" mindset. We have to right-size security to each facet of the business so that we understand how each one operates, and how we can best support them. On Valentine's Day, I thought I'd share how these five love languages apply to cybersecurity and the teams we interact with.

The Love Language of Touch: Engineers
Let's be clear. Your engineers — whether they're in product development, DevOps, or in your data center — aren't looking for a handshake or a hug. But they do want to feel like you're helping with the heavy lifting as they build code, instead of slowing them down. They're not here to educate you on engineering. Security needs to care about the code down to its core. The more technical context you can provide, even the lowest-level details about an exploit, the more confident engineers will feel as they build. It's not enough for security to show up and say, "We have a SQL injection here. Fix it." We need to explain the risk and offer enough details to solve it.

The Love Language of Quality Time: Legal Team
Besides security, no one quite appreciates and understands risk quite like your legal team. They have deep knowledge of the foundational principles of risk and how they translate to liability. So they want to sit down and solve problems with a team that not only translates the technical side but also understands and appreciates the value of compliance. They want a trusted adviser who can spend the time with them to home in on what the risks really are, how likely they are to happen, and frame them up in terms of controls. Say, for example, you want to run a bug bounty program. Cybersecurity should be prepared to discuss how it's safeguarding data, and the processes put in place to make it a safe and secure testing ground.

The Love Language of Acts of Service: Marketing and BizDev
These teams care deeply about the impact cybersecurity has on customer experience, especially when friction is introduced into the product because of security controls. For cybersecurity, the why is important here, but so is the how — as in, how is this going to affect the people who use our product? Let's say a security team wants to introduce a captcha. They need to explain why doing so will keep customers secure, but also how to go about it in an uncomplicated way so the customer doesn't have to jump through more hoops than necessary.

The Love Language of Giving and Receiving Gifts: C-Suite
Your top leadership is most interested in the top risks the company faces. Cybersecurity's job is to prioritize those risks by contextualizing them within the business, and then determine when the company needs to take action. The gifts you give the C-suite are a map and GPS. The map is an understanding of the geography of risks; the GPS is a recommendation of what path to take. If the C-suite, for instance, asks about where it should allocate engineering resources, cybersecurity can't answer as an entity unto itself. It needs to put business needs first so leadership understands the trade-offs of each scenario and arrives at the best decision possible.

The Love Language of Words of Affirmation: Board Members
This isn't about telling the board what they want to hear or sugarcoating the truth. It means providing them with context and information that enables them to give sound advice and hold the company accountable to the decisions it makes. Speaking to the board means educating them on trends and patterns to develop informed opinions. If you're a CISO presenting enterprise risk to the board, do more than explain what you're working on. Talk about how you plan to address issues and how long it will take.

The universal language of cybersecurity is why but how you communicate that why varies with each group with whom cybersecurity engages. Cybersecurity can't just hide behind its hoodies or expect people to comply with its policies just because it says so. It needs to share the love and meet people where they are, in a way they understand, to build buy-in and gain trust.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Fredrick "Flee" Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.