Send to Kindle

BOSTON – The cynical security wonk wouldn’t necessarily lower himself to use the word “cyber” in an elevator pitch about his profession or day-to-day responsibilities. After all, how would that go over in the Twittersphere, or at an industry conference?

At the risk of peer derision, security people frankly need to get over themselves and learn how to communicate the risks and threats businesses face every day in a language society at large speaks. Society speaks “cyber,” for example, and doesn’t’ relate to ideas and processes such as risk assessments, vulnerability management and any other ubiquitous notion in the security lexicon that just doesn’t translate outside the security bubble.

Justine Aitel, the head of cyber risk at Dow Jones, delivered that message during her keynote at Source Boston 2014 Tuesday afternoon. Aitel’s talk was a refreshing take on the echo chamber that plagues security, urging engineers, developers, administrators and researchers alike to escape the insular nature of the industry and foremost, learn how to communicate with the outside world. She spoke of the problem in the context of what she called the participation age, where efforts such as crowdsourcing and crowdfunding have become pervasive and have flipped the balance of power and influence on its head.

“What has the participation age given us? It’s given a voice to the little guy and has brought transparency to the way the big guy works,” Aitel said. “IT risk has not moved into the participation age properly. We have failed to communicate well outside the industry with society at large. Society doesn’t understand what we do.”

Aitel emphasized the need for soft skills beyond just speaking the business’s language.

“We’ve amassed all this secret power and technical capabilities. We know how to start, stop and control systems,” Aitel said. “But with power comes problems. People in positions of power are not known as great communicators and are not known for being willing to evolve.

“If we want our industry to participate, we have to learn how to communicate beyond our industry, change the way we behave, listen, and share,” Aitel said. “Listening is hard, and most of us suck at listening. It sounds so basic, so many are not capable doing this.”

Aitel is a year into her stint at Dow Jones, the parent company of the Wall Street Journal and other media properties. The media industry is in a time of flux and immense competitive pressure, and Aitel said flexibility and agility is key to long-term success. In her position as the enterprise’s top risk evaluator and policy maker, she’s charged with understanding and communicating risk beyond her team’s cubes. Having a spreadsheet of vulnerabilities is a record of risk to the business, but if she cannot explain why a particular CVE is a danger to Dow Jones, she won’t get prioritized development time to get code changes implemented.

“Change code requests are not good enough,” Aitel said. “I have to translate those into business risks. That’s really helped us.”

Aitel also pointed out another shortcoming: the lack of metrics that enable security management to make quick decisions about IT risk. Hiring consultants at a steep cost doesn’t scale when it comes to translating risks beyond vulnerabilities and threats. Again, learning softer skills are a hand-in-hand necessity along with technical chops.

“Our industry rewards people for their strengths. We celebrate vulnerability exploitation or cryptography expertise,” Aitel said. “We don’t celebrate people who work on weaknesses such as communication skills. If we don’t focus on them, we’re not going to be able to reach outside our industry and we won’t stay relevant in the participation age.”

Send to Kindle
Categories: Vulnerabilities, Web Security

Comments (6)

  1. fatbloke
    1

    “Head of Cyber Risk”?! With a title like that, you’re part of the problem, not the solution. INFORMATION security professionals have been speaking the language of the business for years. It is precisely people like you who are REMOVING the credibility of the information security profession. What is “cyber”? It’s a bullsh*t meaningless marketing term that MEANS NOTHING. It is the “Emperors New Clothes” of information security. The “Y2K” moment of security. And I tell you what, our business leaders are going to be mad as hell when they find out that you’ve been mis-selling them this ‘cyber’ nonsense instead of REAL information security – that thing that security professionals have been doing for years. “Cyber” is marketing nonsense. Don’t fall for the hype and bullsh*t, people…

  2. JimmyDee
    3

    Isn’t it sad though that the people who hold the reins are not given the responsibility to pay attention to their business, but instead rely on people with real intelligence to mash things up into a palatable mix.

    The alternative is that they believe that what IT does is a waste of time and not worth anything.

    From where I sit, if management doesn’t prioritize IT and security and the company suffers major setbacks (server meltdowns, back door ingress, ransomware), I see that as a management failing, not a failing of IT to pre-digest everything.

    It’s always important to portray one’s self as valuable and vital, but by the same token, this article reads as if anyone who works in IT has the responsibility of making IT decisions and management decisions.

    I am indeed fortunate that my budget is determined by necessity and best practice rather than the whims of a moronic manager.

    I guess it is little wonder that things like Adobe’s little indiscretion happen… and will happen more and more as management and shareholders get dumber and dumber.

  3. mitch
    4

    What good is best practice if manufacturers, application providers continue to produce new back doors, pinging bridges for malware. Every new back door producer assumes he is the only one that will use it. Is everyone really focused on isolating communication behavior or is there a lot of smoke and mirrors in the process

  4. Paul T. Lambert
    5

    Speaking cyber is just one piece of the puzzle. You’ll also have to grow long hair (or shave your head if balding), get some piercings or tattoos, wear torn jeans and t-shirts, and do a host of other things to make sure your act is right. Do you think anyone will take you seriously if you speak cyber but look like a trial lawyer or Wall Street bankster?

  5. CyberSurgeon
    6

    It is time to embrace the “cyber”! “Cyber” used to be a prefix that was overused by people that didn’t know what they were talking about. That didn’t completely change, but the term cyber did become adopted by the people that set the standards – look at the NSA and cyberwar. You might not like it, but the “information security” and “information assurance” lingo was largely influenced by them and now it’s being updated with a simple and flexible prefix “cyber”. Are you going to say that NSA is not professional or that they don’t say “cyber”?

Comments are closed.