If you wish to rise to management (although you can get there without it, it does make your ascent more rapid) learn how to communicate technical terms to different levels of audiences. For example, when speaking to your firewall engineer you can get more techy and into the details, but when speaking to higher management speak more to the protections and design elements. Be prepared to answer the techy-type of questions if you are asked about it, but do not use the same speech for everyone.
Learn how to translate tech language into ordinary scenarios that are much more relatable. For example: Once when discussing a firewall to senior management I used the example of a bouncer at the door of a night club. He stops you, asks for ID, inspects your ID and if you are on the allowed list, he lets you in. If you are on the deny list, you are turned away. The senior manager got the idea without having to get into deep discussion about packet inspection and different layers of the OSI model.
Use examples that may cause a user to get it in a different manner. Another example, and this one is a little dated but you get the gist of it. Back when computer memory was expensive and in small amounts I had a user that had bought a program that required 32GB of memory. She had just upgraded her computer to 16GB of memory (from 8GB) and she had spent a lot of money on the upgrade. The IT tech kept telling her she didn't have enough memory to run the program, but she still didn't get it. I sensed the frustration building between the two, the IT person who kept repeating the same thing (not enough memory) and the user who was also just repeating the same thing (I just spent a bunch of money, why can't you make it work). As the IT lead I stepped in and explained it to her this way. I pointed out the window to the mini-van she had driven to the IT shop in.
I said "How many seats do you have in that van?"
"It can seat 7 people" she replied.
"Are the seats removable?" I asked. (This is before we had seats that folded down into the floor)
"Yes. All but the driver and front passenger seat." said she.
"So let's imagine we took out the 2 middle and the bench seat in the back and call that your computer when you only had 8GB of memory. You now can only seat 2 people correct?
"Yes"
"Now you went out and bought 2 more seats and spent a lot of money on them to get to the 16GB right?"
"Yes"
"So you can now sit 4 people in the van. " I could sense she was starting to see where I was going.
"Well this program you bought says it needs to be able to sit 7 people in order to run and you can only seat 4. It doesn't matter if you bought leather seats at a high price when you put more seats in, you still don't have enough seats to fit all the people the program needs to run."
You could tell the light bulb had gone off and she understood. You could also tell she appreciated me being able to explain it in a different manner than just repeating the same thing over and over. The IT guy was saying the same thing but in a more restrictive and techy way. The customer was equating money spent to increased ability to run more, if not all, programs (not sure what the salesperson told her when they sold it to her...)
After she had left, I took the IT guy to the side and explained to him how he needed to work on trying to find a way to explain it so that the customer could understand. "She just didn't get it!" he said. "And you didn't get that she didn't get what you were saying and you just kept repeating yourself." I replied.
Being able to relate technical terms to everyday situations is one of the skills you will need to master to be an effective leader. You never know which audience you will be presented with. Be prepared and you can rise in your employment journey.
Well stated. One of the best experiences I had in my management career was a course I took while at VzW, art of their management series. In the course, we took the Mindex profile. Like some other tools, this was meant to give you an idea of how you thought. In the end, the most important result was that my score was almost the mirror image of those others around me, who were primarily non technical people (Sales, Customer Service, etc.). What it meant to me was that I fundamentally thought differently than these people. You can argue I think that way because I am an engineer, or that I am an engineer because I think that way, but doesn't matter. At some deep levels of understanding, the same set of information means something different to me than the majority of others (at least in that room, that day, and probably in general) Since then, I have been for more aware and understanding of communication issues with others. What appears to be self evident to me may not be to them, so I need to employ some of the skills as noted above. That has made a huge difference in my professional life, both directly and indirectly, as it was something I talked about often with teams I managed.
@CISOScott wrote:If you wish to rise to management (although you can get there without it, it does make your ascent more rapid) learn how to communicate technical terms to different levels of audiences. For example, when speaking to your firewall engineer you can get more techy and into the details, but when speaking to higher management speak more to the protections and design elements. Be prepared to answer the techy-type of questions if you are asked about it, but do not use the same speech for everyone.
This is a great example of a more general precept on succeeding as a middle manager. In any position that has both bosses and subordinates, you must balance keeping the bosses happy and keeping the subordinates happy. If you have been in the workforce for long, you have probably seen failures on both sides of that balance sheet: Bosses who concentrate only on keeping their own bosses happy by pushing productivity and cost savings end up with terrible employee morale and high workforce turnover. Bosses who lean too heavily on subordinate "happiness" often fail to include pride in quality and production in the definition of happiness, and end up missing production goals and going over budget.
Learning how to speak meaningfully to each audience is, indeed, a great part of balancing the two sides of a middle manager's life.
@CISOScott wrote:If you wish to rise to management (although you can get there without it, it does make your ascent more rapid) learn how to communicate technical terms to different levels of audiences
There's an article on this very subject in the current issue of the member magazine...
Yes, you can't get technical with management, but they ultimately make the major decisions --- so you'll want to express yourself to them properly.
One of the times I've used this is when emphasizing on the importance of user awareness in security. To explain that investing in all other aspects & neglecting this don't make sense, I usually provide an example of securing a residence.
Locks, fences, CCTV, Alarms, etc. won't do much good --- if you have a gullible housemaid who's very likely to let a 'friendly looking salesman' inside...
I was taught at school the concept of linguistic register. i.e. Tailoring the language you use to your audience and the situation. As an example, you would typically use more informal language when you're spending time with your friends. While in a job interview you would use more formal language. This is something that should come naturally and is an important part of being an effective communicator, and it's soft skills like being able to communicate well that will help you rise in any chosen profession.
@Shannon wrote:
Yes, you can't get technical with management, but they ultimately make the major decisions --- so you'll want to express yourself to them properly.
One of the times I've used this is when emphasizing on the importance of user awareness in security. To explain that investing in all other aspects & neglecting this don't make sense, I usually provide an example of securing a residence.
Locks, fences, CCTV, Alarms, etc. won't do much good --- if you have a gullible housemaid who's very likely to let a 'friendly looking salesman' inside...
Reading between the lines, does this mean your organisation doesn't align to or certify against any security management frameworks? As user awareness training is mandated in pretty much every framework, you shouldn't have to "sell" this to your executive/management teams. Further to this, user awareness training is core to building a "culture" of security where all of your company's employees don't have to think about acting in a secure manner it just comes naturally as part of an ingrained nature - this is part of the InfoSec nirvana!
I won't teach you to "suck eggs" about the whys and wherefores of aligning to a security management framework (as a CISSP and a CISM you should really know these), but I think your time would be better spent communicating the benefits of an appropriate framework to your executive/management team as part of a more holistic approach to information security rather than calling out individual control gaps - if one fundamental gap is known to exist there are likely to be others!
@AlecTrevelyan no doubt that would be a better approach --- unfortunately the management doesn't embrace frameworks & is content to comply with the requirements of regulatory authorities, so I have to work with nuts and bolts.
Very nice article showing how different approaches matter in different situations....much appreciated
Well said CISOScott.
I believe building your communications skills is an essential skill that should not be overlooked. It is important to relay how security initiatives facilitate business. And also learning the core business details no matter the industry is also a key component. If you don't understand the business, you may make poor recommendations.