October 24, 2019 By Christophe Veltsos 4 min read

Imagine you’re going about your day when a friend or co-worker with limited experience with cybersecurity asks you about what you do or what you think of the latest security technology. How can you engage with an answer that isn’t terse, overly technical or judgmental? How can we translate cybersecurity issues and provide value for those asking about them?

To that end, here is some advice on how to explain cybersecurity topics to your colleagues in terms they will understand.

Keep Your Reactions in Check

Unless you work in a highly visible environment, people may not go out of their way to ask you questions, so when they do, realize that it’s a prime opportunity not to only provide answers but to engage them in the long term as well. With that said, even the best of us might have an off day and react unfavorably to a question being asked. However, it’s worth remembering that responding to an inquiry with visible shock or displeasure could trigger further difficulties.

If you’re not feeling particularly outgoing or conversational on a given day, consider taking a moment to appreciate that someone is asking for your opinion or advice on a cybersecurity issue. Simply thanking them for their question or replying, “That’s a good question,” can grant you time to collect your thoughts on the matter at hand and respond with confidence and authority.

Clarify the Question and Its Context

We have all been in situations where we start responding to a question and realize after several minutes that we were answering the wrong question or simply didn’t have enough information about the context in which the question was being framed. If the particulars of a colleague’s question are unclear, ask a clarifying question that reuses many of the words from the initial question.

For example, if Bob asks, “Should I be worried about the new two-step login for my bank account?”, the real heart of the issue might be the standard username-and-password approach and its weaknesses, a recent change in the user interface for a login page, or two-factor authentication (2FA) and some of the concerns around SMS-based tokens in the news lately. A quick way to find out would be to reply with something like, “By two-step login, do you mean username and password or a two-factor authentication code sent by your bank?” If Bob answers that it’s about 2FA, you could follow up with another clarifying question about whether the token is sent via SMS, a bank app on his phone or a hardware token.

Understanding the context of questions is also key to ensuring that your answer is useful and appropriate. In the example above, Bob asked a question about the authentication process, but do we have enough context? Sample questions to elicit additional context might include, “when did this happen?” or “why do you ask?” Given these questions, Bob might share that he recently experienced difficulties with logging into his bank account while he was overseas on business. We might also learn that the SMS tokens took several minutes to reach his cell phone, and by that time the bank no longer accepted them as valid.

Explain Cybersecurity With Helpful Metaphors

Providing a valuable answer to a cybersecurity question can be tricky. As security professionals, we might be tempted to peel back the curtain and shed light on what’s happening behind the scenes with a bunch of technical cybersecurity terms. For instance, in response to Bob’s question about SMS-based 2FA, we could launch into the detailed description of steps required for a successful authentication session and the many weak points where response messages could be stopped.

However inclined we may be to answer a question with a complex, technical answer, it’s best to keep in mind some of the more effective ways humans have shared information for centuries. For instance, it may be helpful to explain the issue at hand with a metaphor that offers a path to a solution that the listener can follow. Determining how to explain cybersecurity issues involves focusing on what the asker already knows and their frame of reference and then adapting our explanations to fit that knowledge.

How can we help Bob understand SMS 2FA and its weaknesses? Perhaps we can use the metaphor of a guard dog — even if someone has the key to your house, unless they have your face or your voice, they won’t be able to get in.

Think Influence, Not Judgement

Cybersecurity professionals have spent years, or even decades, honing their intuition and enhancing their knowledge base, which can enable rapid diagnosis of issues with quick answers. However, we must take care to ensure that our answers are presented constructively and not wrapped in an envelope of, “I can’t believe you would do that” or “smart people don’t do things this way.”

When someone asks a question, the last thing they want to hear is that they’re wrong or dumb for asking the question or for reacting unfavorably to their challenges. Resist the urge to judge their behavior or lack of information and instead look for ways to help them see the risks their actions pose and get them thinking about the privacy and security implications of those actions.

To that end, try to provide answers that influence their attitudes toward cybersecurity well after their interactions with you are over.

Leverage the Power of Questions

Instead of handing down a declarative denial in the form of, “you should never do that,” why not reply with a question of your own? Plant the seed of a persistent thought that will guide Bob for months after his question is answered. What should Bob ask himself in advance of his actions from here? Are there any procedural rules he should keep in mind moving forward? Make sure Bob knows to think before he clicks and inform him about where he can turn for the right answers.

To further develop your response to Bob, you might also explain the benefits that SMS-based 2FA can provide and finish with a list of questions for Bob to ask his bank or ponder on his own. The questions for his bank might relate to the timeout factor of the SMS token, whether there are any barriers that would prevent the SMS tokens from reaching his phone while he’s on business travel overseas and whether there is another way to do multi-factor authentication than through SMS. Questions for Bob to think about in the long term should include consideration for the larger concerns of privacy and security around the data and technology he brings with him when he travels.

While Bob may not be getting a quick and simple answer, let’s face it: There are few quick and simple answers left in cybersecurity. On the other hand, Bob now has a more accurate understanding of the tough issue of authentication, and he’ll likely be thinking about travel-related security and privacy for quite some time. Bob can walk away glad that he asked a question and wasn’t belittled for it, and he’ll probably come back to you with future questions.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today