How to Present Security So People Will Listen — and Take Action

Technology professionals often have a hard time presenting important online safety topics to the masses. Key ‘cyber hygiene’ messages are usually ignored. Here are some tips to help — and reasons to keep trying.

by / April 8, 2018

How are you doing at spreading helpful information regarding online life to those around you each and every day? Are you being an online ambassador for good?

Do you speak to those around you about how they can make wise decisions in cyberspace and protect their privacy and personal information while using the Internet?

Are you providing helpful tips and practices for family and friends? How about offering online privacy examples to organizations in your area that need help, such as schools, churches, senior centers and other nonprofit groups who struggle to know where to go for help?

Getting Personal: Quick Quiz

For example: Have you ever asked others how they are doing regarding online cyberhygiene?

Here’s a quick two-question quiz to help assess where you are regarding cybersafety:

  • Do you use two-factor (or two-step) authentication for logging into email?
  • Do you regularly back up your PC(s) and mobile phone (at least once every few months)?

The Sad Truth

If you answered yes to both of these questions, CONGRATULATIONS! You are in the small minority of global Internet users. Keep up the good work and spread the word about cybersafety.

But the sad truth is that metrics point to failure all around us.

According to this Tech Republic article from earlier this year, less than 10 percent of Gmail users enable two-step verification (sometimes called multi-factor authentication) — which is a great free service that helps protect your email account from hackers. (The article also shows you how to enable the Gmail security service.) In addition, most social media websites, including LinkedIn and Facebook and other email services like Yahoo, offer two-factor authentication for free, but only 1 in 10 people use this extra security.

Meanwhile, according to PC Magazine, 84 percent of households own a computer and 89 percent own a mobile phone, but only about 1 in 4 people perform regular backups of their data. What does this mean? Because of global threats like ransomware, potential hardware failure and/or other online problems, the likelihood of losing treasured photos, family documents and more is higher without good backups.

What can you do? Taking recommended action in these two areas (as highlighted by those articles) is both simple and inexpensive (or often free). If you don't, your online risks are higher in many ways.

Why Is Online Security a Tough Conversation?

In my experience, most people are not jumping for joy when cybersecurity topics come up in conversation. Like eating a food that’s good for you but tastes horrible, the thinking is, “I can get through this somehow if I hold my nose.” After going through this mini-exercise with my family members, they all wanted to “go do something fun now.”

No doubt, cybertopics are generally not easy to address before someone experiences trouble. But discussing impacts from security incidents that occur as a result of poor security practices are even more difficult conversations. I’ve heard the phrase, “If only I had done such and such …” way too many times.

Nevertheless, while talking about the newest technologies, such as smartphones or tablet PCs, is often considered fun, addressing security aspects is seen as more negative. Messengers, who are trying to help protect or instruct people in a variety of ways, are often seen as the “party poopers.” What is usually heard is something like:

  • “Beware of the bad guys …”
  • “That’s not secure!”
  • “Don’t trust that product!”
  • “STOP!”
  • “You’re stupid because ...”

And I’m not just referring to parents at home trying to warn their children about content or explain the dangers of online predators or cyberbullying.

Whether you are a manager presenting security audit findings to staff or a keynote speaker at a weeklong technology conference or security summit, there are plenty of challenges to making your case for security. 

Engaging others in meaningful, memorable, positive ways is usually difficult for any topic. But bring up cyberSAFETY, or cyberSECURITY or cyberDEFENSE or cyberETHICS or cyberANYTHING at the office to non-geeks, and the conversation usually gets boring, stale and short very quickly. 

Actually, getting people to truly listen and engage in a conversation about security topics around the coffee pot is extremely hard — unless you work in a security function. And in case you think that using words like "information security" or "information assurance" will make things better — think again.

Yes — you can throw in words like "hacker" and "identity theft" to grab their attention and liven things up a bit, but that is usually because people start thinking about movies or scary headlines.

Help, Please!

OK, enough of the dark side and how hard this topic is. (My hope was to provide a dose of reality about the current cybertalk situation — which is pretty bad and getting worse because of information overload.)

Having traveled the world from Michigan to Dubai to Washington, D.C., to speak on “all things cyber” at technology conferences and cybersummits for almost two decades, I’ve learned what (usually) works and what often doesn’t. I’ve experienced the thrill of victory and the agony of defeat. No doubt, I am still learning and adapting.

Perhaps more important, as a husband, father of four and a person who is passionate about online safety, I wrote Virtual Integrity: Faithfully Navigating the Brave New Web. I’ve spoken to public- and private-sector technology teams, security staff, families, university students, community groups, church youth groups and numerous others about these cybertopics.

Here are a few tips I learned along the way that I hope will help you:

1) Know your audience — Of course, the messages are different for a 5-year-old than a 17-year-old. But the message is also different for a group of government internal auditors than for a room full of CxOs from large companies. Ask: What’s their lingo? What’s the current hot-button issue? What questions should I prepare for? Who spoke before and after you — and what are they talking about? Walk through your main outline with event organizers well before the big day.

2) Bring passion and integrity — Are you excited and sincere about the messages? Listeners can spot a fake from a mile away. Do you practice what you preach (especially for family members who see you all the time at home?) Remember that 90-plus percent of what we are communicating is not in the words. Body language, tone and eye contact are key.

3) Tell true stories — Audiences love cyberwar stories. People remember stories much more than facts and figures. Here are some guidelines for good stories.

4) Make it interactive — A few years ago, I heard about a group in Australia that makes all their presenters use an interactive model with audience participation. After presenting 10 or so minutes of content, the audience discusses two to three good questions at their table (or with a few people sitting around you.) After a few minutes, a larger group discussion begins with highlights from the table discussions. I have found this model to be a very effective and powerful way to reinforce key points.

Getting everyone involved almost always drives up retention of material. At a minimum, engage the audience with questions and ask for a show of hands on various topics. It also improves session feedback scores.

5) Be relevant — I sometimes hear people walking out of conference sessions saying "He/she didn’t say anything new.” Yes — repetitive content is sometimes needed, but hopefully security is presented in a fresh way with a new twist, facts, figures, stories, etc. Do your homework. Offer fresh insights or practical tips that the audience can implement right away to help at home and work.

Staysafeonline.org, which is a service of the National Cyber Security Alliance, offers some great content and cybervideos that can help, along with links to other great content and websites. 

6) Use teachable moments — Timing is everything. Whether talking with kids about surfing the Net after an issue with a friend or walking in front of a large audience after a huge story about another data breach, use current events and teachable moments to bring your point home. The listener is probably already thinking about what just happened, so why not discuss lessons learned regarding what’s on their mind anyway?

At work, turn "lemons into lemonade" by discussing security incidents that really happened. 

7) Reinforce security presentations with other channels of messaging — We all need to hear and see messages in multiple ways at multiple times to bring home the point. I remember seeing effective posters in hallways at the National Security Agency (NSA) in the 1980s, so this point is not new.

But how are security messages being presented in consistent ways at your office? Use emails, staff meetings and project discussions to discuss security policies and required actions. Does your government have an ongoing computer-based program that is interactive and effective? Free toolkits are available from the MS-ISAC for government entities to use to reinforce key messages.   

8) Offer best practices that work — Are you bringing solutions, or just more problems to listeners? How can we make it right? What’s the answer to the important questions being asked?

One current example that works and is effective is gamification of training and awareness. People love games, and cybercompetitions can help grow talent and interest.

The National Association of State CIOs (NASCIO) has many best practices to consider, such as this award-winning security program that Michigan implemented and was called out as a best-practice by the National Governors Association (NGA).

9) Listen to them — get feedback — Just as we practice before presentations to improve our delivery, we need to learn from the feedback forms and comments we receive after presentations. Ask for input from event organizers, colleagues and even our kids. A few times a year, I’ll ask my son: “So what do you remember from our conversation yesterday?”

10) Have fun, enjoy the moment — and so will the audience! — Let's get rid of the boring title slides. If you are enjoying the conversation, so will others. (And if you are tense, the audience will be as well.) Here are a few specific ideas to help liven up the message.

In summary, talking about cybersecurity doesn’t need to be boring, stale or a drag. If you are passionate about the importance of certain principles or ideas, become a “cyberambassador for good” in your circle of friends, family and colleagues.  

If you are a supervisor, manager or public speaker on cybersecurity topics, strive to simply and clarify the message and offer positive answers. “Fun cyber” does not need to be an oxymoron for our presentations. Yes, these security topics can be difficult, but we all can do better at communication.

Final Thoughts

I’ll close with a few of my favorite quotes on speaking — whether public or private:

“It usually takes me more than three weeks to prepare a good impromptu speech.” — Mark Twain

“If you don’t know what you want to achieve in your presentation, your audience never will.” — Harvey Diamond

“Words have incredible power. They can make people’s hearts soar, or they can make people’s hearts sore.” — Dr. Mardy Grothe

“Speech is power: speech is to persuade, to convert, to compel.” — Ralph Waldo Emerson