Imagine you’re going about your day when a friend or co-worker with limited experience with cybersecurity asks you about what you do or what you think of the latest security technology. How can you engage with an answer that isn’t terse, overly technical or judgmental? How can we translate cybersecurity issues and provide value for those asking about them?

To that end, here is some advice on how to explain cybersecurity topics to your colleagues in terms they will understand.

Keep Your Reactions in Check

Unless you work in a highly visible environment, people may not go out of their way to ask you questions, so when they do, realize that it’s a prime opportunity not to only provide answers but to engage them in the long term as well. With that said, even the best of us might have an off day and react unfavorably to a question being asked. However, it’s worth remembering that responding to an inquiry with visible shock or displeasure could trigger further difficulties.

If you’re not feeling particularly outgoing or conversational on a given day, consider taking a moment to appreciate that someone is asking for your opinion or advice on a cybersecurity issue. Simply thanking them for their question or replying, “That’s a good question,” can grant you time to collect your thoughts on the matter at hand and respond with confidence and authority.

Clarify the Question and Its Context

We have all been in situations where we start responding to a question and realize after several minutes that we were answering the wrong question or simply didn’t have enough information about the context in which the question was being framed. If the particulars of a colleague’s question are unclear, ask a clarifying question that reuses many of the words from the initial question.

For example, if Bob asks, “Should I be worried about the new two-step login for my bank account?”, the real heart of the issue might be the standard username-and-password approach and its weaknesses, a recent change in the user interface for a login page, or two-factor authentication (2FA) and some of the concerns around SMS-based tokens in the news lately. A quick way to find out would be to reply with something like, “By two-step login, do you mean username and password or a two-factor authentication code sent by your bank?” If Bob answers that it’s about 2FA, you could follow up with another clarifying question about whether the token is sent via SMS, a bank app on his phone or a hardware token.

Understanding the context of questions is also key to ensuring that your answer is useful and appropriate. In the example above, Bob asked a question about the authentication process, but do we have enough context? Sample questions to elicit additional context might include, “when did this happen?” or “why do you ask?” Given these questions, Bob might share that he recently experienced difficulties with logging into his bank account while he was overseas on business. We might also learn that the SMS tokens took several minutes to reach his cell phone, and by that time the bank no longer accepted them as valid.

Explain Cybersecurity With Helpful Metaphors

Providing a valuable answer to a cybersecurity question can be tricky. As security professionals, we might be tempted to peel back the curtain and shed light on what’s happening behind the scenes with a bunch of technical cybersecurity terms. For instance, in response to Bob’s question about SMS-based 2FA, we could launch into the detailed description of steps required for a successful authentication session and the many weak points where response messages could be stopped.

However inclined we may be to answer a question with a complex, technical answer, it’s best to keep in mind some of the more effective ways humans have shared information for centuries. For instance, it may be helpful to explain the issue at hand with a metaphor that offers a path to a solution that the listener can follow. Determining how to explain cybersecurity issues involves focusing on what the asker already knows and their frame of reference and then adapting our explanations to fit that knowledge.

How can we help Bob understand SMS 2FA and its weaknesses? Perhaps we can use the metaphor of a guard dog — even if someone has the key to your house, unless they have your face or your voice, they won’t be able to get in.

Think Influence, Not Judgement

Cybersecurity professionals have spent years, or even decades, honing their intuition and enhancing their knowledge base, which can enable rapid diagnosis of issues with quick answers. However, we must take care to ensure that our answers are presented constructively and not wrapped in an envelope of, “I can’t believe you would do that” or “smart people don’t do things this way.”

When someone asks a question, the last thing they want to hear is that they’re wrong or dumb for asking the question or for reacting unfavorably to their challenges. Resist the urge to judge their behavior or lack of information and instead look for ways to help them see the risks their actions pose and get them thinking about the privacy and security implications of those actions.

To that end, try to provide answers that influence their attitudes toward cybersecurity well after their interactions with you are over.

Leverage the Power of Questions

Instead of handing down a declarative denial in the form of, “you should never do that,” why not reply with a question of your own? Plant the seed of a persistent thought that will guide Bob for months after his question is answered. What should Bob ask himself in advance of his actions from here? Are there any procedural rules he should keep in mind moving forward? Make sure Bob knows to think before he clicks and inform him about where he can turn for the right answers.

To further develop your response to Bob, you might also explain the benefits that SMS-based 2FA can provide and finish with a list of questions for Bob to ask his bank or ponder on his own. The questions for his bank might relate to the timeout factor of the SMS token, whether there are any barriers that would prevent the SMS tokens from reaching his phone while he’s on business travel overseas and whether there is another way to do multi-factor authentication than through SMS. Questions for Bob to think about in the long term should include consideration for the larger concerns of privacy and security around the data and technology he brings with him when he travels.

While Bob may not be getting a quick and simple answer, let’s face it: There are few quick and simple answers left in cybersecurity. On the other hand, Bob now has a more accurate understanding of the tough issue of authentication, and he’ll likely be thinking about travel-related security and privacy for quite some time. Bob can walk away glad that he asked a question and wasn’t belittled for it, and he’ll probably come back to you with future questions.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…