CG - How to communicate with non-security specialists to drive action

all right hello everybody so our next talk is how to communicate with non-security Specialists to drive action uh and without further Ado I would like to welcome our speaker Ashley Lee hello hello hi everyone uh my name is Ashley I am Senior product marketing manager at Jupiter 1 and um I've been doing marketing for over a decade now the last seven years in cyber security uh and uh in the 4 and a half years that I was at now secure which was my previous gig I observed a rather unnerving cycle and maybe you've experienced this too basically our pen testing team would scope out a project with a client they would spend several days testing their mobile app then they would spend several more days maybe a week or so uh compiling that report of the findings and suggested courses of action they'd have some calls with the client to figure out the uh best course of action do some more explanation and whatnot and after a period of time they would send back a new app binary to test and lo and behold what would they find the pen testing team would retest it and they'd find a lot of the same findings if not more now for someone who was attracted to cyber security in the first place uh to to with the mission to defend and to protect against threats it really boggled my mind that customers would be okay with uh leaving in weaknesses that would expose customer data like payment data pii it was really mind-boggling for me um what was the point of fixing or finding all those weaknesses without fixing them so when I moved on to Jupiter 1 in 2020 I found that that cycle wasn't specific to mobile app Security in fact that cycle of finding but not fixing knowing but not doing anything about it uh that hit a lot of other domains whether it's Network configurations Cloud resources device management you name it why were these issues not getting resolved well it turns out that people who find issues are not the same people who have the means to fix them the people who find security gaps are not the same people who own those systems so as a result we've seen in recent years a rise in security trainings a rise in security awareness security Champions programs and it's all to put knowledge in the hands of the people who actually have the means to fix it but even then in the latest Verizon report the data breach uh investigations report they found that 74% of breaches were still involving the human element so so even though knowledge is in the hands of people you still have to convince them persuade them to act we've got a lot of work to do and I'm here to help you not feel like this so when you are communicating to a non-security specialist there are three things that help you communicate to drive action you provide value you be extremely clear and you connect with your audience now uh how you do those three things provide value be clear connect it's going to be different for when you connect with Engineers versus Finance sales HR uh Executives engineering um interns you might be you know con uh convinced that you should do it in a big group right for efficiency purpos purposes cuz there's only so many of your so much of your time to spend um but the reality coming from a marketer if you are specific with your audience the more specific you are the more likely you're going to be able to drive action so let's take the first one value when you are thinking about value uh you have to obviously think about it in the context of your audience and there are seven reasons why people care to read or listen to anything in general first thing is novelty is it new or original to them counterintuitive does it go against their expectations counternarrative does it go against a strongly held belief that they have or does it reinforce a belief that they already have maybe it Sparks controversy or debate maybe it induces fear or maybe it's just a simple rankings or a listicle that is really easy to scan and consume just a side note listicles tend to be really good for executives because they don't need all the detail now aside from value the other two pieces of connecting and being clear those uh are best captured in a quote by katsu ishiguro katsuo ishiguro was the Nobel Prize winner of literature in 2017 and in his acceptance speech this quote goes stories are about one person saying to another this is the way it feels to me can you understand what I'm saying does it also feel this way to you stories are about one person saying to another this is the way it feels to me can you understand what I'm saying does this also feel this way to you oops the first part here is Clarity can you understand what I'm saying communication persuasion influence they all start with this basic question can you understand the words that are coming out of my mouth is it clear what I'm trying to convey and the second part is connectedness here does it also feel this way to you this is what makes stories powerful and memorable it's the power of connecting on an emotional level because we as human beings build trust and relationships with that emotional connection the way security practitioners relate to and comprehend technology is going to be very different from how non-security Specialists relate to technology so as subject matter experts it's our duty to be able to connect with our audience and be able to connect the dots between why a policy change or change in their behavior is important in their context remember always keeping your audience in mind so uh Clarity and connection these are the two basic components of any storytelling now the biggest hurdle that I see is Clarity too often we rely on technical terms that become jargon misused by media by marketing people by salespeople and the reality is jargon is a problem for any technical field whether it's engineering Finance legal Sciences there are entire programs dedicated to the art and practice of communicating technical terms and Technical fields to the common everyday regular person think for a second how many brilliant phds do you know that are also great communicators tends to be an exception to the rule right to be both a technical expert and a great communicator and that's because these skills to get to their level of expertise are very different from the skills you need to be a good communicator technical people like yourself use precise specific words in your roles because it matters ambiguity costs time it costs money it costs your sanity but in in order to drive action across other business units across other people in your life even we've got to use Simple common language to connect with those people these people also have their areas of expertise right they may not know the ins and outs of multiactor authentication but they just need to know that it's going to save their butt one day right so to that end we got to use Simple common language So to that end I'm going to going to give you two free tools to help with Clarity first one is the dejaron I actually learned about this last year from Carrie Tomlinson uh she presented on this at RSA last year so the dejaron is a dejaron which I'll show you in a second on how to use it and the Heming Way app so to uh demonstrate how to use these two tools we're going to use a definition from uh nist this is the definition of MFA from nist it goes like an authentication system if I can read this that requires more than one distinct authentication factor for successful authentication multiactor authentication can be performed using a multiactor authenticator or by a combination of authenticators that provide different factors the three types of authentication factors are something you know something you have something you are it's probably not the best idea to use the word you're trying to Define in the definition right so when we drop this definition into the dejaron iser you'll notice that it highlights the likely culprits of jargon orange is that mid-range it's used but it's not used uh too infrequently red are your real culprits of jargon this tool also gives you a meter reading so it counts how many words there are it ranks the the commonality of your words um and Studies have shown that readers need to understand 98% of the vocabulary in a text in order to comprehend it so that means rare words should be less than 2% and in this case no rare words now let's drop this into the Hemingway app Heming Way app uh you can see that it is highlighted as such it's a tool that helps with readability so what grade level does somebody need to have in order to understand this text any guesses 8th grade any other guesses postgrad you need a postgrad degree in order to understand this particular definition we've got to do better than that so here's an example of a simpler explanation um this is I actually presented a similar topic we talked uh to other marketers believe it or not that because they have problems with draggon too um on how do you describe multiactor authentication in a simpler way that isn't using all the jargon that marketers have relied on so this is one of the ones that were uh provided multiactor authentication is how you prove who you say you are using something you know something you have something you are and when you drop this into the two tools you can see our meter reading for theorganizer is in the green uh we have no rare words and it's at a grade seven level reading so with this we're able to actually appeal to a wider audience uh but this is only to get to Clarity we still have to connect with our audience right so on that end connection the most logical person that you know will probably still be prompted to act off of emotion so you just got to connect with them I have two books here that I recommend on how to connect with your audience and it's going to be specific to who you're talking to but both of these books give you tools tactics on how to improve and listen well so How to Win Friends and Influence People this is a Timeless book it is decades old but it is still applicable it gives you tools on how to to communicate with folks how to get other people to uh see your perspective and even jump on board if you H even if you have opposing goals the second book there never split the difference by Chris Voss he is a hostage negotiator or was um he has this concept of the Black Swan and uh the Black Swan is essentially the motivation behind the motivation behind the motivation uh of why somebody's acting the way they are people will tell you that there there's a reason why they're choosing not to turn on MFA for their accounts but if you dig a little bit if you use the tactics in his book you're able to kind of uncover what is the real hurdle that's blocking them from performing that security measure Okay so we've covered all three value Clarity connection I want to take you back in time to 2017 I just finished uh and passed my exam for the maretto certified expert and this was when the exam was still hard and it's probably the equivalent of the AWS uh certified Solutions architect exam I walked into the room for the next talk riding the high of passing out exam settled in for the talk and it was by Holly Rolo who was the CMO of RSA at the time there were seven other people in the room and I remember exactly where I sat it was second row second seat on the right section it felt empty and intimate all at the same time the presentation started off the way that most do 20% this 35% that three out of five people do this wrong 74% of breaches are attributed to the human element but then all of a sudden it felt like Holly was talking directly to me she knew three things about her audience one we all had the keys to do some serious damage with our customer data or we managed somebody who did two we liked our sparkly technologies that inevitably held customer data and three we us marketing operators did not give significant thought to security measures like MFA now as she wo knowing her audience those three different aspects she brought her message home and said don't be that person don't be the reason your customer data gets stolen you better believe that I turned on toofa and I rechecked all our user permissions after that session and the reality is I had heard that fear inducing message before but what actually drove me to act it was her extreme Clarity and connection with her audience with me that helped me understand why security measures made sense in my context it made a difference so I'm going to leave you with this people want to do the right thing you just got to inspire them to do it right they just need to know what it security measures mean in their context and you can Inspire them by using these three pieces of communication that drive action value Clarity connection and always keep your audience in mind thank you [Applause] we got time for questions I think micro behind you so once you've gotten your me once you've gotten your message across and you're motivating people to do things how do you track their progress and follow up with them in a way that doesn't seem like you're punishing them or you're a parent talking to a recal child that is a great question I would say part of it has to do with the relationship that you're building with them right um if you are chumy with folks you can totally joke with them in a way that they can receive it but then also message received that I better get on that task um but also sometimes it's okay to be direct and be like hey I've also tried to tell you this it's been how long what's what's the what's the hurdle right and use some of the tactics from uh never split the difference to kind of hear out oh are there other priorities that are pushing this down are there maybe technical things that they don't understand are there you know there's a number of different reasons why somebody may not be doing it maybe they just don't they feel crushed in their job right and they just need someone to hear them out you know if you're a human being to them I think that builds Rapport right soath yes you put that way more succinctly than I did for all those who couldn't hear he said empathy so any other questions um how do you do uh how do you practice this when you can only correspond with these uh folks you're communicating with via email I work with a lot of international partners and so it's really hard to hop on a call and get messages across do you how would you build rapport or overcome those challenges by being creating only remote relationships oo that is a tough one um cuz you already nicked the one thing that I normally would say is Hop on a call with them and you know shoot the breeze right um I think that there needs to be probably more organized ways to get that interaction and build that Rapport like if there are regular maybe it's not a weekly thing but like if you can get together with those folks somehow uh whether it is a zoom call and it's you know you're just doing a trivia or like having a good time like there's different tools out there where you can get into different event pockets and connect with each other we actually used to do that at Jupiter 1 where it twocan would just put us in a bubble and we just all just talk about random stuff um if you can make the time to do that that actually will go a long ways of building rapport with your uh counterparts that you'll need to ask things from down the line so I would say if there's a way to build in a program where you can just have time to connect with people instead of always having to work directly and ask them of something um that would be my recommendation find a way to connect with them outside of the job if you can I think uh we had a question up here also there's a mic coming uh how the best way to you know uh the new audience sorry how the best way for to you know a new audience you know a new audience how to how the best way to to contact oh to me contact me oh I'm on LinkedIn oh sorry the best part to know and you and new audience how to oh how to get to know your new audience yeah um there's different ways so I for me I tend to try and pick it up as I go along as I meet people right what are their interests how do they interact with you do they do your jokes land or do they not land um the other way to do it is you know hey you want to get to know the finance team you're just doing you're new to this company and you want to get to know group just be like hey I'm just if you have time come on over we're going to have a zoom meeting we're going to play a game we're going to play code names whatever right just create an event where you can connect with people and just have a good time um whether it's remotely or in person and you can do that either B Team based or you can do that all at once and just pay attention to which person is on which team um that's probably the most human way I would do it there are other ways like that I know people might recommend surveys and stuff like that what are but I feel like you don't always get an authentic answer in a survey right it's very rote um and so a lot of it is just being able to interact and pick up the cues from the people so that's does that answer your question perfect right so our next talk is going to come up so thank you as thank you everyone and if you have any questions asle will'll be here