Talking about security in effective ways is hard – whether the audience is an auditorium full of professionals or a small room at home with a few children. Here are some tips to help.
Try this experiment: Read the following list of words and think of just one feeling that comes to mind after briefly pondering these terms:
Cybersafety, cybersecurity, cybercrime, cyberbullying, cyberattack, online privacy, identity theft, digital scams, peer to peer file sharing, computer protection, encryption, passwords, email spam, laptop security, two step authentication, phishing, firewalls, cyberethics, cyberdefense, cyberetiquette, or cyber … anything else.
So what’s your word?
OK, now try this list again with a friend or family member – preferably someone who tends to not be a “technology geek or nerd.”
For many people the word that comes to mind is "boring" or "exhausted" or "hard" or some other word with negative connotations. If they could say five words or a sentence, it would be: “Get me out of here.”
Why Is Online Security a Tough Conversation?
In my experience, most people are not jumping for joy when cybersecurity topics come up in conversation. Like eating a food that’s good for you but tastes horrible, the thinking is, “I can get through this somehow if I hold my nose.” After going through this mini-exercise with my family members, they all wanted to “go do something fun now.”
No doubt, cyber topics are generally not easy to address before someone experiences trouble. But discussing impacts from security incidents that occur as a result of poor security practices are even more difficult conversations. I’ve heard the phrase, “If only I had done such and such …” way too many times.
Nevertheless, while talking about the newest technologies, such as a smartphones or tablet PCs, is often considered fun, addressing security aspects is seen as more negative. Messengers, who are trying to help protect or instruct people in a variety of ways, are often seen as the “party poopers.” What is usually heard is something like:
“Beware of the bad guys …”
“That’s not secure!”
“Don’t trust that product!”
“You’re stupid because ...”
And I’m not just referring to parents at home trying to warn their children about content or explain the dangers of online predators or cyberbullying.
Whether you are a manager presenting security audit findings to staff or a keynote speaker at a weeklong technology conference or security summit, there are plenty of challenges to making your case for security.
Engaging others in meaningful, memorable, positive ways is usually difficult for any topic. But bring up cyberSAFETY, or cyberSECURITY or cyberDEFENSE or cyberETHICS or cyberANYTHING at the office to non- geeks, and the conversation usually gets boring, stale and short very quickly.
Actually, getting people to truly listen and engage in a conversation about security topics around the coffee pot is extremely hard – unless you work in a security function. And in case you think that using words like "information security" or "information assurance" will make things better – think again.
No, I'm not talking about leading with scary headline on the latest data breaches – that Fear Uncertainty & Doubt (FUD) often works – at least for a few minutes. Discuss the personal ramifications of the OPM breach or the implications of the Ashley Madison breach, and people are all ears.
(It is true that people also like to talk about cyberMONDAY, which is the Monday after Thanksgiving, but that is generally because of online shopping sales and not information security.)
Yes – you can throw in words like hacker and "identity theft" to liven things up a bit, but that is usually because people start thinking about movies or shopping again.
OK, enough of the dark side and how hard this topic is. (My hope was to provide a dose of reality about the current cyber-talk situation – which is pretty bad.)
But before I provide some tips to help, some readers may wonder: Is this guy qualified to speak to cybersecurity speakers?
(Side note: Another current reality is that technology and security pros love to questions the credentials and experience of other security speakers, while often missing the message. I find myself falling into this trap. The truth is that some of the best messengers for various cyber topics are often non-technical staff who have less at stake and who use everyday language that is easier to understand.)
Anyway, having traveled the world from Dubai to San Diego to speak on “all things cyber” at technology conferences and cybersummits for a decade, I’ve learned what (usually) works and what doesn’t. I’ve experienced the thrill of victory and the agony of defeat. (Yes – I am still learning and adapting.)
Perhaps more important, as a husband, father of four and a person who is passionate about online safety, I wrote Virtual Integrity: Faithfully Navigating the Brave New Web. I’ve spoken to public- and private-sector technology teams, security staff, families, university students, community groups, church youth groups and numerous others about these cyber topics.
Here are a few tips I learned along the way that I hope will help you:
1) Know your audience – Of course, the messages are different for a 5-year-old than a 17-year-old. But the message is also different for a group of government internal auditors than for a room full of CxOs from large companies. Ask: What’s their lingo? What’s the current hot button issue? What questions should I prepare for? Who spoke before and after you – and what are they talking about? Walk through your main outline with event organizers well before the big day.
2) Bring passion and integrity – Are you excited and sincere about the messages? Listeners can spot a fake from a mile away. Do you practice what you preach (especially for family members who see you all the time at home?) Remember that 90-plus percent of what we are communicating is not in the words. Body language, tone and eye contact are key.
3) Tell true stories – Audiences love cyber war stories. People remember stories much more than facts and figures. Here are some guidelines for good stories.
4) Make it interactive – A few years ago I heard about a group in Australia that make all their presenters use an interactive model with audience participation. After presenting 10 or so minutes of content, the audience discusses two to three good questions at their table (or with a few people sitting around you.) After a few minutes a larger group discussion begins with highlights from the table discussions. I have found this model to be very effective and powerful way to reinforce key points.
Getting everyone involved almost always drives up retention of material. At a minimum, engage the audience with questions and ask for a show of hands on various topics. It also improves session feedback scores.
5) Be relevant – I sometimes hear people walking out of conference sessions saying "He/she didn’t say anything new.” Yes – repetitive content is sometimes needed, but hopefully security is presented in a fresh way with a new twist, facts, figures, stories, etc. Do your homework. Offer fresh insights or practical tips that the audience can implement right away to help at home and work.
Staysafeonline.org, which is a service of the National Cyber Security Alliance, offers some great content and cyber videos that can help, along with links to other great content and websites.
6) Use teachable moments – Timing is everything. Whether talking with kids about surfing the Net after an issue with a friend or walking in front of a large audience after a huge story about another data breach, use current events and teachable moments to bring your point home. The listener is probably already thinking about what just happened, so why not discuss lessons learned regarding what’s on their mind anyway?
At work, turn "lemons into lemonade" by discussing security incidents that really happened.
7) Reinforce security presentations with other channels of messaging – We all need to hear and see messages in multiple ways at multiple times to bring home the point. I remember seeing effective posters in hallways at the National Security Agency (NSA) in the 1980s, so this point is not new.
But how are security messages being presented in consistent ways at your office? Use emails, staff meetings and project discussions to discuss security policies and required actions. Does your government have an ongoing computer-based program that is interactive and effective? Free toolkits are available from the MS-ISAC for government entities to use to reinforce key messages.
8) Offer best practices that work – Are you bringing solutions, or just more problems to listeners? How can we make it right? What’s the answer to the important questions being asked?
The National Association of State CIOs (NASCIO) has many best practices to consider, such as this award-winning security program that Michigan implemented and was called-out as a best-practice by the National Governors Association (NGA).
9) Listen – get feedback – Just as we practice before presentations to improve our delivery, we need to learn from the feedback forms and comments we receive after presentations. Ask for input from event organizers, colleagues and even our kids. A few times a year, I’ll ask my son: “So what do you remember from our conversation yesterday?”
10) Have fun, enjoy the moment – and so will the audience! – Let's get rid of the boring title slides. If you are enjoying the conversation, so will others. (And if you are tense, the audience will be as well.) Here are a few specific ideas to help liven up the message.
In summary, talking about cybersecurity doesn’t need to be boring, stale or a drag. If you are passionate about the importance of certain principles or ideas, become a “cyber ambassador for good” in your circle of friends, family and colleagues.
If you are a supervisor, manager or public speaker on cybersecurity topics, strive to simply and clarify the message and offer positive answers. “Fun cyber” does not need to be an oxymoron for our presentations. Yes, these security topics can be difficult, but we all can do better at communication.
I’ll close with a few of my favorite quotes on public speaking:
“It usually takes me more than three weeks to prepare a good impromptu speech.” – Mark Twain
“If you don’t know what you want to achieve in your presentation your audience never will.” – Harvey Diamond
“Words have incredible power. They can make people’s hearts soar, or they can make people’s hearts sore.” – Dr. Mardy Grothe
“Speech is power: speech is to persuade, to convert, to compel.” – Ralph Waldo Emerson