Oh, You ARE Talking To Me! - Anne Turner

okay all right to you thank you thanks yeah so um I'm an and um I am on Twitter as Affinity editing as my grown-up adult self and fairy cake pixie for the bides community um no that's my normal Twitter handle um so I'm going to talk today about um the way that humans work when we communicate with each other and how that goes wrong um quite often between different communities and different groups of people um and what we can do about that because I think you know we've had a number of talks today that have already mentioned how important um culture and communication is within security um so just a little bit of background as to why I'm talking about

this subject um my degree is in English language and Linguistics um studies in uh sociol Linguistics and psycholinguistics um um and then ended up in information security um after my graduate program um following University where I started out in training and Communications I have not stood on the stage for a very long time so I'm pricking it um but um yeah so I've spent the last 14 years working in information security as an information security consultant um and now I work as a writer copy editor and proof reader um for Affinity editorial um which is uh it's been going for just about a year now just coming up to a year so um so yeah that's that's a

little bit about me and um so we'll crack on so working in security can sometimes feel a bit like uh we like we're talking to a wall um no one seems to listen to what we have to say uh even if they say they are um and I R's a tricky one um we don't usually show up with a great deal of good news to say we're a bit like the police knocking at your door um if they're doing that they they probably it's probably not going to be news you want to celebrate um and kind of inherent in what it's sort of a bit inherent in what we do um in that we um

we do everything that we can to make sure that people are doing the things that they should be doing to make sure that organizations are secure a lot of the time we don't actually have direct control over the security of a business guide people to do the right things but we're absolutely dependent on them doing it to make our security um practices successful um and so that can often come with its own challenges as well from a business point of view from a financial point of view we're generally a cost center we don't directly derive profit for a business so we're also you know not the um we're not in the pretty sales job that drives all of the lovely

customers and things where the people that hide in the back and are a bit difficult to talk to um and yeah we we monitor risk we advise people against less than sensible actions for very good reasons obviously um we're the first to shout about an incident and then we're the ones that go and investigate to find out who did or didn't do more likely what they should have done to prevent that event from happening in the first place um sort of How To Lose Friends um and alienate people rule 10 number one I think um so yeah we've established that the responsibilities of our role often will drop us a few places down people's Christmas cards lists um and you know

worse than being unpopular because really who needs the social pressure uh we are often seen as the bad guys it's very easy to perceive security as the know people and when we're not the no people we are the evil trying to catch you out people I'm just going to say the words fishing exercise and leave it at that shaming people is never going to build solid trusting relationships and the other thing is that security and cyber security are very scary things to a lot of people mainly because the messages that that we bombard them with are hideous they're costing businesses millions and millions of pounds they're costing people their jobs um and they don't these are these

are about things they don't understand they can't conceptualize what's going on we're saying it's their fault and they're the weakest lincol all of this other you know stuff we're not not NE not always very good at helping people feel confident around security and when we don't understand things things we either ignore them and pretend that it isn't real or we fight against it and that creates this sort of us and them mentality so security non-security and I think sometimes we probably all experienced that that kind of feeling and fear is the path to the dark side the more that Gap increases the harder it is to change people's perceptions and to break down the barriers that we uh

that we suffer that we're struggling with and it's not just this it's not just non-security people that people we're trying to work with that are affected by this we're directly affected by it as well we either feel like this can't take it anymore or we feel like this um so what can we do about it how do we help people to engage better with security so to explain this I want to move away from security and into the world of linguistics for a little bit so we perceive information um socially psychologically humans are social creatures even though some of us would prefer to sit on our own in a room with cat than stand in front of a room

full of people um but we function in tribes and I say that in an anthrop anthropological sense um those tribes being groups of people that share common knowledge experiences interests we're all part of many of those right if you enjoy going to the gym that's one if you enjoy Motor Sport there's another we're all Security Professionals there's another um you might enjoy esport running you know photography any of these things each of those groups is a tribe and each of those tribes has their own linguistic Norms their own language their own ways of communicating with each other so they can be in the form of um words and phrases that they use the way that they um the accent that they

use with each other or the kind of the idioms that they use between each other um to an extent the body language that we use as well when we're when we're talking with each other so all of these features added together um the study of those features is the is the field of social Linguistics it's very closely related to an anthropology and sociology um but yeah it's we create these kind of from a linguistic point of view we create these speech communities um and that is kind of security is a very powerful one of those communities we have a lot of our own um language and terms you think of the language of it and technology and

security is that multiplied right so um we as humans because we belong to all of these different tribes they become um an an imol part of our identity and we can have many identities that's fine and we'll code switch between the different groups that we're with but only generally speaking when we have an interest to do so and the other thing that's important to recognize is that we have a knack of filtering out the strange sounds that surround us every day so those sounds that are not part of any of the communities or tribes that we are a part of we're not interested in them we're not part of them okay so our language the words we use and how we use

them are as I've already said an integral part of our identities and in our own tribes we don't necessarily realize that our language is as private and as coded as it actually is it's all familiar and it's standard to us and we sort of rarely hear ourselves as being the ones with the accent right everything that we're saying makes complete and perfect sense to us even if the person's staring at you trying to figure out what you're saying you might as well be speaking a different language literally now sometimes we do deliberately use language to keep people out um we may do this to ass a kind of dominance over somebody to suggest that we are the authority voice on a subject

because you know I think this is something that particularly happens in academic writing and academic um Publications and things is is often you kind of write and and communicate in this kind of elevated language to suggest that you are the subject matter expert actually subject matter experts can absolutely distill that message down to really simple human everyday terms you might use analogies and metaphors that are not perfect that's fine because people understanding those messages is way more important than you using your favorite big word in in what you've written or what you're communicating to somebody the other reason that we sometimes will choose to stay within our language Community our language tribe and and without considering other

parties is um is for camaraderie and support from peers and colleagues um you'll you might have you know conversations with people that you someone new to the gym and the people who are regular to to the gym will have a word or a phrase for their new gym person who's just appeared and doesn't have a clue what they're doing right so you will you will be able to use your internal language to point out to somebody who is on the inside that that person doesn't know what on Earth they're doing right we've all done that and we've all had that done about us as well um so those are reasons why we sometimes stay within our language

community and um yeah it's not it's not always helpful but these slides have got mixed up so jump to this one so knowing this knowing you know that um language and the the language that we use is related to the specific speech communities that we're operating in at any given time we naturally switch between them we ignore and we're very very good at filtering out language of communities that we are not part of right so that's security people we're part of it so we are inherently in it people who are outside of security are those people who will filter out stuff not intentionally necessarily but because it's just not part of their world so we have to start

doing things to help to open up between the these different communities that we are part of so I just wanted to explain a couple of studies because there there is quite it's old research now but um it kind of illustrates the point um quite well so famous linguist uh William labov in 1972 did a study at Martha's Vineyard um and this was an observation of linguistic change on an island that came about um from a community within a community that was originally reliant on fishing to fuel the economy but the fish stocks started to decline and so that local community became a lot more dependent on tourism and visitors to the island now what happened with the

language community on the island is the accent started to started to shift between those people who were trying to protect the traditions of the island so think of the inside the community and those people who had to build stronger relationships and were building dependent relationships on people who were visiting the island and the the people who were visiting the people who were dependent on those visiting the island diverged their accent away from the the the the original Island community those that were dogmatic about protecting those Traditions pushed even stronger and deeper into that accent and in a similar study in 1974 in Norwich um trudgill also showed that speakers diverged or converged their accents based on the

relationship that they had or that they wanted to have between individuals that they were communicating with now obviously those two studies were both focused around accents but it isn't just accent this is vocabulary all of those other um communication factors that we've talked about body language um idioms phrases all of those other things um just that those those um studies are quite nice illustrations of um the behavioral aspects if you like that we have around language and the way that we communicate with each other so we need to find some common ground we need to converge towards our colleagues and peers we need to find these areas of common understanding now that may mean actually seeing if we

can find a d a convergence of related language speech communities that we belong to so I'm I like running and I like cats and I like Motorsport they're all quite good subjects to have to talk to people with and you can start from any of those or relate security Concepts into other parts of your of your tribal Community if you like so trying to find those areas of common understanding even if they may not Direct be um they're not security specific things but that helps you then to position the security content that you're the security message you're trying to share in a world that someone else is more involved with and more engaged with and they will take so much

more out of that conversation because you've been able to do that we need to um reduce our reli on our ingroup shorthand so you know we we will talk about firewalls and um allow list deny list block list whatever um like you know they just run they just roll off the tongue and you could just carry on well someone who's never come across these things is like hang on a minute what and we forget how many people are not really aware of of how these things work and what they do and so quite often it is a case of of S of remembering to strip everything right back and explain what things do um in like I say in normal everyday

language for people we need to care a lot more about being understood than protecting whether it's consciously or unconsciously um our security identity and credentials if you like um more often than not that ends up moving away from security and honestly I've done a number of workshops with people where We've Ended up um workshopping Security Solutions with Dragons because that's how we managed to start to you know dragons and castles and things like this that's how we managed to break through all of those things and make progress because people started to understand what we were trying to do and conceptualize what or you know the objectives of what we were trying to achieve in a way that they understood

it's not their job to understand the technology they're not not necessarily the techies each person has their role in this we just have to help everyone understand you know everyone get to the same page so that the the the people who specialists in their field can focus on the bit that they're special list in but we all understand what we're trying to [Music] achieve so um it's not all about changing our message um into the language of someone else's tribe we're not trying to change the message we're not updating our um our message to suit someone else's agenda I'm not talking about Pres pres in security problems in financial terms to talk to the finance people sometimes

security people need to talk about security things because security is the thing right but what we can do is try to find this area of common ground that allows you to step people through that security message in a way that becomes accessible to them I've done um a couple of talks before about plain language principles for writing and a lot of those will apply in any communication as well it's just that I'm not going to stand up in front of you and say Well when you're talking to someone talk in short concise sentences for example and uh use punctuation for clarity doesn't work like that does it um but the same the principles of you know avoiding jargon

explaining important terms using everyday words um like I said many times in this talk now um find common ground to work from um even if that's from another tribe that you share with them and that's outside of security so uh yeah that's it no if you have questions I will try and answer them clap for [Applause] please do we have any questions for an I like to use fire as a common thing I have to explain inant response to people and everyone's scared of cyber I quite often use that hey you know what to do when the fire alarm goes up don't you yes you understand what that risk is yes this is exactly the same yep and if you

can use that if you knew something that's common with them then yeah and that's the easiest way to break down those barriers I've spoken to many people that are terrified as cyber I we say it's just the same as fire they go oh all right yeah okay fair enough I understand that we just have to have a process yes and practice it occasionally would be good right no nobody speaks English that wants to have a question oh there we go oh I wasn't asking if you speak English oh [Music]

Scottish um very interesting talk Cu uh I've just been looking at things around culture and whatever one of the things you said at the beginning was a bit of that you know the security says no um and that all we end up doing is going and finding the person who whose job it was to do something and didn't do it but do you think that's also part of the problem um I was reading something by McGregor who was looking at maso's hierarchy of needs and suggesting that you know um people aren't interested in those higher level needs until they've satisfied the basic ones one of the basic ones is for security and if you're afraid that people are going to tell you

off um then you're not going to get beyond that so do you think that's perhaps something we need to work on in how we address that yeah it comes back to all of this is about finding ways to build relationships with people ultimately that's what that's what this comes down to is is building relationships beyond our security bubble I think um one of the the things that we have in security is it can be quite insular we can't often um working a lot kind of on our own and within our own community and um but when we have to engage outside of that we sort of don't switch off from that side of things um

so one of you know I think there's a lot of work that we can do about you it's mostly about making things understandable for people I like Dave's fire analogy I usews ridiculous things with people I say I've genuinely done um all this the the thing that ended up with castles and Dragons was a PCI compliance program mapping the end to endend project for a PCI compliance program but we got there because we had this framework that everyone could engage with in terms that they understood and it took takes away some of that fear so yeah they weren't scared of the dragons no they're weird but the auditor came in a went right so can you show me

you say here you got a dragon where where's dragon PCI for targaryens so carrying on the security say no thing um a phrase I heard once was security we put the no in Innovation my my question was um in your experience are the particular terms that people find really hard to understand is it around the complexity of the concept or is it more just a linguistic thing do you think I think in a lot of cases it's just the quantity of terminology and we use a heck of a lot of initialisms and acronyms for things and we're so familiar with them we we consider them almost words now you know Lan n so if only we just use one acronym for

each thing that would be helpful and didn't reuse acronyms for completely separate things as well yes any other questions for an hi um I don't really have a question but I wanted to share an analogy as well um so I run a project that's targeted to a specific fan base that I'm a part of so kind of communicating with my own tribe for Tech and security education and in a thread on Twitter explaining two Factor authentication the analogy I used was that your account is a house and then saying that your password is the front door like the lock on the front door and then tofa is the dead bolt yeah useful we like stories stories is

good stories are stories and Common Ground oh wouldn't be the same if I didn't say something so um the analogy I like used as health and safety just nothing cyber security is some is where health and safety was say 20 years ago and it just it's going to take time for it to be common practice but have you any thoughts about um people in the sea Suite I always find them the most difficult to persuade sorry say that again the people in the sea s are your Chief Executives your directors and they're they're often such a gulf away from the IT team that it's quite hard to communicate in their language I think the key to

communicating with those people is respecting their absolute lack of time honestly and it's just get immediately to the point don't I I I get incre I get very frustrated with because I think that's one of those communities of people that were're often told oh change your message put it in pounds put it in terms of pounds and dollars because that's what they understand you're like but this is nothing to do with pounds and dollars it doesn't I can't do that math it doesn't translate that way I just need them to understand that there is a threat to the business that is as real as you know the office built burning down and the reason we put all those

precautions in so what I would say for that Community is respect this enormous lack of time that they have and written forms of communication probably better but absolutely plain language for that um yeah excellent right and with that I think we give an another massive Round of Applause please