BOSTON – The cynical security wonk wouldn’t necessarily lower himself to use the word “cyber” in an elevator pitch about his profession or day-to-day responsibilities. After all, how would that go over in the Twittersphere, or at an industry conference?
At the risk of peer derision, security people frankly need to get over themselves and learn how to communicate the risks and threats businesses face every day in a language society at large speaks. Society speaks “cyber,” for example, and doesn’t’ relate to ideas and processes such as risk assessments, vulnerability management and any other ubiquitous notion in the security lexicon that just doesn’t translate outside the security bubble.
Justine Aitel, the head of cyber risk at Dow Jones, delivered that message during her keynote at Source Boston 2014 Tuesday afternoon. Aitel’s talk was a refreshing take on the echo chamber that plagues security, urging engineers, developers, administrators and researchers alike to escape the insular nature of the industry and foremost, learn how to communicate with the outside world. She spoke of the problem in the context of what she called the participation age, where efforts such as crowdsourcing and crowdfunding have become pervasive and have flipped the balance of power and influence on its head.
“What has the participation age given us? It’s given a voice to the little guy and has brought transparency to the way the big guy works,” Aitel said. “IT risk has not moved into the participation age properly. We have failed to communicate well outside the industry with society at large. Society doesn’t understand what we do.”
Aitel emphasized the need for soft skills beyond just speaking the business’s language.
“We’ve amassed all this secret power and technical capabilities. We know how to start, stop and control systems,” Aitel said. “But with power comes problems. People in positions of power are not known as great communicators and are not known for being willing to evolve.
“If we want our industry to participate, we have to learn how to communicate beyond our industry, change the way we behave, listen, and share,” Aitel said. “Listening is hard, and most of us suck at listening. It sounds so basic, so many are not capable doing this.”
Aitel is a year into her stint at Dow Jones, the parent company of the Wall Street Journal and other media properties. The media industry is in a time of flux and immense competitive pressure, and Aitel said flexibility and agility is key to long-term success. In her position as the enterprise’s top risk evaluator and policy maker, she’s charged with understanding and communicating risk beyond her team’s cubes. Having a spreadsheet of vulnerabilities is a record of risk to the business, but if she cannot explain why a particular CVE is a danger to Dow Jones, she won’t get prioritized development time to get code changes implemented.
“Change code requests are not good enough,” Aitel said. “I have to translate those into business risks. That’s really helped us.”
Aitel also pointed out another shortcoming: the lack of metrics that enable security management to make quick decisions about IT risk. Hiring consultants at a steep cost doesn’t scale when it comes to translating risks beyond vulnerabilities and threats. Again, learning softer skills are a hand-in-hand necessity along with technical chops.
“Our industry rewards people for their strengths. We celebrate vulnerability exploitation or cryptography expertise,” Aitel said. “We don’t celebrate people who work on weaknesses such as communication skills. If we don’t focus on them, we’re not going to be able to reach outside our industry and we won’t stay relevant in the participation age.”