Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/14/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The 5 Love Languages of Cybersecurity

When it comes to building buy-in from the business, all cybersecurity needs is love -- especially when it comes to communication.

When most people, including the majority of us in the industry, think about cybersecurity, "lovable" isn't the first word that comes to mind. Cybersecurity has a "dark arts" reputation that conjures up images of shadowy hackers in hoodies slouched behind their laptops, out of sight from the rest of the organization except when it's time to serve up stern warnings to scare folks into staying safe online.

Of course, much of that is by design. Cybersecurity isn't an industry built on approachability; it's known for building digital barriers to protect networks, data, and devices. But leading with FUD (fear, uncertainty, and doubt) won't get you far with key constituents at your company. In my experience, when it comes to building buy-in from the business, all cybersecurity needs is love — especially when it comes to communication.

That's where love languages — the five ways people express and experience love — comes in. The idea is that effective communication with loved ones means ditching a "me-first" mindset, so we understand their needs and act accordingly. The same is true for security. We can't have a "cybersecurity-first, business-second" mindset. We have to right-size security to each facet of the business so that we understand how each one operates, and how we can best support them. On Valentine's Day, I thought I'd share how these five love languages apply to cybersecurity and the teams we interact with.

The Love Language of Touch: Engineers
Let's be clear. Your engineers — whether they're in product development, DevOps, or in your data center — aren't looking for a handshake or a hug. But they do want to feel like you're helping with the heavy lifting as they build code, instead of slowing them down. They're not here to educate you on engineering. Security needs to care about the code down to its core. The more technical context you can provide, even the lowest-level details about an exploit, the more confident engineers will feel as they build. It's not enough for security to show up and say, "We have a SQL injection here. Fix it." We need to explain the risk and offer enough details to solve it.

The Love Language of Quality Time: Legal Team
Besides security, no one quite appreciates and understands risk quite like your legal team. They have deep knowledge of the foundational principles of risk and how they translate to liability. So they want to sit down and solve problems with a team that not only translates the technical side but also understands and appreciates the value of compliance. They want a trusted adviser who can spend the time with them to home in on what the risks really are, how likely they are to happen, and frame them up in terms of controls. Say, for example, you want to run a bug bounty program. Cybersecurity should be prepared to discuss how it's safeguarding data, and the processes put in place to make it a safe and secure testing ground.

The Love Language of Acts of Service: Marketing and BizDev
These teams care deeply about the impact cybersecurity has on customer experience, especially when friction is introduced into the product because of security controls. For cybersecurity, the why is important here, but so is the how — as in, how is this going to affect the people who use our product? Let's say a security team wants to introduce a captcha. They need to explain why doing so will keep customers secure, but also how to go about it in an uncomplicated way so the customer doesn't have to jump through more hoops than necessary.

The Love Language of Giving and Receiving Gifts: C-Suite
Your top leadership is most interested in the top risks the company faces. Cybersecurity's job is to prioritize those risks by contextualizing them within the business, and then determine when the company needs to take action. The gifts you give the C-suite are a map and GPS. The map is an understanding of the geography of risks; the GPS is a recommendation of what path to take. If the C-suite, for instance, asks about where it should allocate engineering resources, cybersecurity can't answer as an entity unto itself. It needs to put business needs first so leadership understands the trade-offs of each scenario and arrives at the best decision possible.

The Love Language of Words of Affirmation: Board Members
This isn't about telling the board what they want to hear or sugarcoating the truth. It means providing them with context and information that enables them to give sound advice and hold the company accountable to the decisions it makes. Speaking to the board means educating them on trends and patterns to develop informed opinions. If you're a CISO presenting enterprise risk to the board, do more than explain what you're working on. Talk about how you plan to address issues and how long it will take.

The universal language of cybersecurity is why but how you communicate that why varies with each group with whom cybersecurity engages. Cybersecurity can't just hide behind its hoodies or expect people to comply with its policies just because it says so. It needs to share the love and meet people where they are, in a way they understand, to build buy-in and gain trust.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Fredrick "Flee" Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...
CVE-2020-13494
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsing of compressed string tokens in binary USD files. A specially crafted malformed file can trigger a heap overflow which can result in out of bounds memory access which could lead to information disclosure. This vulnerability could...
CVE-2020-13496
PUBLISHED: 2020-12-02
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in TfToken Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation....