In the brokenness of the information security industry, our inability to communicate effectively stands out above the rest as one of the root causes. We lack a common language that holds us all together. It’s critical that we find this common language to lay the foundation that can help us build a better industry. This communication can’t just be between information security experts, either.
In the United States, there are roughly 700,000 people that are considered “security people.” But there are 322 million people in the United States, and those people are all accessing important data. One of the biggest challenges we face in the information security industry is getting those people to care. The industry professionals cannot fix this industry themselves. It takes buy-in and understanding from those non-security people as well.
Too many times when I’ve tried to discuss my job to people, or bring up information security topics, their eyes glaze over. They say something nice just so they don’t make me feel bad, they give me a blank stare or confused look, or they just stop paying attention altogether.
So how do we break through to them? It circles back to this idea of a common language.
This is all personal. When an information security incident happens, when a breach happens, when data is compromised, it doesn’t just affect security people. It affects people. This is what we need to understand. We need the help of non-security people to improve the industry, and improving the industry helps people. If we can convey this effectively to non-security people, we can make a monumental step in the right direction.
One of the best ways that we can get people speaking a similar language to us, and understanding the significance of information security is to tell stories. Giving people real-life examples of how others just like them have been impacted by information security incidents can light the proverbial lightbulb above their heads. Storytelling is one technique by which we can all come to a mutual understanding about exactly why this is important.
Setting an Example
There are hundreds of stories that can be told about information security incidents, and they all share a common theme. They all had consequences, and those consequences impacted people.
I recently heard about a 60-year-old woman who visited the doctor’s office for an appointment, and they congratulated her on the birth of her newborn. Confused, she looked at the nurse and said that that ship had sailed long ago. As it turns out someone had stolen her identity to pay for hospital visits during the birth of their child on this lady’s insurance. Imagine if that was your mother or grandmother.
Not too long ago, a report came out that stated that about a fifth of educational institutions (schools) have been breached in some capacity. These breaches compromised student health records, contact information, and other personal and confidential information. If that was your child, would you find information security important?
These stories and the ones like them are relatable and impactful. Storytelling helps create a common language because it enhances the understanding of the significance of these incidents through their relatability. “If it happened to these people, it could certainly happen to me or a loved one, and I don’t want that to happen.” If we can generate and practice a common language, we will create allies to help us improve the brokenness of the information security industry, and ultimately protect more people and their information.