Good communication requires a shared language. Sometimes that may mean you have to simplify what you’re explaining, use reference points that the other party can understand or show how something will affect them.
This challenge has been a constant factor in security circles, where bridging the gap between the reality and understanding brings its own challenges, according to Derek Ashmore, professional services manager at Integrity 360.
“Those challenges have always been there; perception versus reality,” he said. “What people interpret when they see a wording or trend, it’s sometimes completely different from what a service provider or manufacturer would understand that term to be.”
“If you don’t get clarity from the outset of that conversation, you end up having a conversation where you all think you’re talking about the same thing . . . that miscommunication, if you don’t get it right first, you just waste everyone’s time in the initial start-up.”
The reason that communication is so important, especially at the early stages, is so everyone knows what destination they’re trying to reach.
For Ashmore, that’s the first question they’ll ask before following it up with where you’re coming from. If you don’t know either or both, then it’s very difficult to put together a coherent plan and know the type of journey you’re going to embark on.
The direction you go in is more than just the product or services you’re using, it’s a fusion of policies, processes and people. The latter is important, as people can easily overlook what their responsibilities are and just assume they’re safe.
“Their assumption is that security is there,” he said. “If you’re not keeping your internal people aware, and train them to be savvy about what might happen, they become your weakest link.”
“For all the perimeter stuff that you put in, it won’t do you any good if someone gets a phishing email and clicks on it. [They’ll do that because] if it looks like it comes from the right company [they’ll click on it].”
It doesn’t help matters that talent is thin on the ground, so it’s up to companies such as Integrity 360 to help organisations bridge the gap. That shortage also means security service providers are in a battle to get in the best people so they can offer the necessary services.
Providing such a service brings with it its own challenges, keeping up with all the developments of the threat landscape is crucial and is a constant process.
“If we stand still, we’re dead,” said Ashmore. “We can’t say we’ve done enough training, and covered it all off, we got to be in this constant cycle of carrying the best level of accreditation against technology and across the broader industry.”
This is something that many businesses say they consider, but don’t practise in the ways that matter. When designing a product, app or service, security has to be included from the start.
Much is made of whether such a move will increase the bottom line, decrease costs or improve efficiency, but the question of how it impacts security doesn’t come up without some prompting.
“They say that [this decision] enhances and delivers, but have they thought about the exposure?” he asked.
“Have they exposed the business by doing this, have they understood that they need to take a security-first mentality. That’s the way we have gone into companies; you start with those conversations.”
The minimum for Integrity 360 is to have people who can enable those conversations as once they scratch the surface, they reveal the true extent of how a major business decision can impact security.
All companies have blind spots, some greater than others, and making them aware of the unknowns, the things that they would never have considered in the first place, is important.
“The trick is now getting to talk to the customers about the unknown unknown,” said Ashmore. “They don’t even know what the threat is and don’t know what they’re doing so how can we help them in that environment?
“That only works when you have people who have the highest level of accreditations, the highest level of skillsets, not just in technology but in business, so understand the impacts of the business, understand whether this could help you, whether there is a different model.
“Your protection landscape is good, but if you rejigged it, it’s not necessarily about selling you more, it can be a case of redeploying and using what you have in a better way.”
It’s important for this to be the case as the threats will always try to stay a step ahead of the threat cycle.
“The challenge for us is to try and stay aligned to where those threats are coming from and keep that knowledge in the forefront. We have to be in a constant learning cycle,” Ashmore said.