Communication as a cybersecurity skill // LastPass // 2023 trends

Happy New year!

I hope you all had a fantastic holiday and were able to enjoy the time with friends and family.

We made it through the holiday without another log4j so that’s something we can be thankful for off the bat (though maybe Southwest airlines was the aviation equivalent…)

To kick us off in 2023, we are going to be taking a different type of look at cybersecurity skills. Technical knowledge and fluency are obviously incredibly important in our industry, but emphasis on this can come at the expense of considering (and developing) non-technical skills. It tends to be the kind of thing that most people acknowledge is important, but don’t consider very thoughtfully when hiring or training.

-Brad

Communication as a cybersecurity skill

In 1950, just as the cold war was heating up, Secretary of state Dean Achenson delivered an informal speech at the National Press Club. In that speech he casually outlined a line around the globe that America would defend. The problem was that line left out Korea, even though communist forces were amassing on the border. It also left out Taiwan. His speech was rushed to Stalin, who consulted with Mao. Two weeks later Stalin approved the invasion of the South of Korea.

Achenson thought he was providing a warning. Instead he provided an invitation.

Bottom line, communication matters. And in our field, it isn’t particularly hard to see how much communication skills can make a difference.

Think about the following illustrations:

• Articulating the criticality and risk of a particular vulnerability to the business when delay or downtime will be required to address

• Describing the lessons learned from a non-critical incident in a way that will cause others to want to change

• Building morale and engagement among the security team; communicating purpose

• Communicating the changes that a client must make to their program based on findings from an audit or penetration test, in a way that will compel action

• Conducting effective cybersecurity awareness training to a general audience across a business

• Articulating the ROI and rationale for incremental investment

• Effectively alerting customers and employees in the event of an incident

As cybersecurity needs to move from being the department of ‘no’ to being embedded upstream with development, IT, and the business overall, the importance of communication, relationship building, and other soft skills is only increasing.

Despite this, most job descriptions only causally list this at the bottom, in the context of a throwaway line. The implicit assumption being you either have communication skills or you don’t. Well, it’s not that simple.

This doesn’t mean that communication skills aren’t considered when someone is hired or promoted. In most instances, they probably are. The question is how much thought and design are really put into those decisions. In that respect, it is clear that we can do better.

It’s worth noting that the relative importance of communication skills depends on the nature of the role. The bar rises based on level of seniority (and managerial requirements), the degree to which the role is customer facing (and number of interface points), and whether the nature of the job itself is more routine or investigative/ creative.

For Tony Grey, former CISO of Hagerty, it isn’t only communication skills that matter, it’s the ability to see the big picture and to think strategically. Then communication skills flow from there.

He breaks these skills down into four categories that are critical for success:

• Strategic thinking

• Creating a narrative/ telling a compelling story

• Setting expectations

• Negotiating

Tony seeks to build his cyber teams with people that are ‘greenfield’ thinkers and capable of serious critical inquiry. The rote or transactional work then gets outsourced or automated.

This applies not just to managerial roles, but line roles as well. And this means that he’s hiring for more than pure technical skills or experience with a given set of technologies, he’s assessing for a much broader perspective on the person.

Even for entry level SOC roles, he asks questions designed to get underneath a person’s strategic thinking capability, and communication ability.

If you are hiring, and want to do a better job assessing for communication and strategic thinking skills upfront, here are some ideas:

• Ask interview questions that lend themselves to a story. Listen for clear articulation of context, events, results. Examples:

  • Describe the last significant issue you were involved with handling. What led to it, and how was it resolved?

  • How did you end up attending (xyz) school (or, joining xyz company)? What led you to that decision?

  • What was a significant mistake you made at (last employer)? What did you learn?

• Ask for examples of work product or reports (redacted, not confidential). This is particularly important for roles that have a significant component of written work (for example, writing up penetration testing reports)

• Ask to explain particular concepts relevant to their domain of expertise- you are listening not just for what they know, but how they articulate it

• Run a scenario by them in which they have to make a case for something- investment, support, additional time or actions from another department

• Ask them to describe the security program of their former company

  • Goals/ strategy

  • Roadmap

  • Their take on gaps in that strategy, what they would do differently

If you are unsure of how your communication skills are perceived, ask for feedback! That’s the best way to truly know where you stand. Create a ‘safe space’ and speak with your boss, colleagues, and former colleagues.

Generally, communication skills are regarded as something that is inherent, rather than something that can be trained or coached. However, there are exceptions to this- for instance, when challenges arise due to anxiety or inexperience taking the perspective of the listener/ audience.

Here are some good resources to look at if you are interested in working enhancing your communication skills:

• Helpful set of small tips and tricks

• Advice for managers

• A good piece from HBR on effective listening

• As far as negotiation goes, there is always the classic Influence, by Robert Cialdini

Tools, resources, and useful things from the internet

☁️Cloud security alliance has published an excellent report on pragmatic implementation of DevSecOps. Note the particular emphasis on the human/ culture side of the equation (CSA)

🔐Good reflections on the LastPass hack and password managers in general (Daniel Messler)

🎧Have some time to listen? Here's a list of 50 cybersecurity podcasts (Daniel Kelley)

↗️Excellent (and extensive) piece on key cybersecurity trends for 2023 (Chuck Brooks)

News

💼WSJ reports that cybersecurity will remain the top budgetary priority, and that if cuts need to come, they won’t come from that department. 66% are planning on increasing cyber budgets (WSJ)

💰The head of Zurich insurance is calling for public insurance against cybersecurity risks, saying that the private sector alone cannot handle the risk (Irish Times)

🚪Another significant wordpress vulnerability found. Shocking. (Hacker News)

🎭The war in Ukraine is bringing hacktivism back into the mix (Wired)

🤖Overview of the current state of weaponized AI (Venture Beat)

🪖Exploration of how cell phone use puts Russian soldiers in the Ukrainian line of fire (NYT)

Jobs to check out

Starting with this newsletter, we will be featuring a curated set of newly posted jobs every week. This week we are sharing a number of interesting mid to senior level IAM jobs.

💼Gartner. Sr Director, Analyst - Identity and Access Management (Remote)

💼Circle. Director, Identity and Access Management (Phoenix or remote)

💼Motorola Solutions. Identity and Access Management Lead (Chicago, Hybrid)

💼Biogen. Sr. Manager, Identity and Access Management (SailPoint) Program Delivery Lead (Remote)

💼Aflac. IAM Systems Security Admin (Remote)

💼Capital One. Senior Sailpoint Engineer, IAM

💼Huntington. Identity and Access Management Director

💼Okta. Senior Product Security Engineer (Customer Identity)

Events

💼FlowCon 2023. January 9-12. Santa Fe, NM. Carnegie Mellon conference focus on the flow of data for network defense.

💼National cybersecurity alliance- Convene. Jan 10-11. Clearwater, FL. Generalist industry event.

💼Cyber risk alliance cybersecurity summit.January 27. Tampa

💻SANS Cyber threat intelligence solutions summit.Jan. 31. Virtual

💼SANS east. Feb 13-18. Virtual. Training extravaganza.

Stat of the week

51,500

Number of tech layoffs in the month of November.

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line