It has taken me 12 years in information security to realize that as loud as our industry is shouting, we’re mainly only being heard by ourselves.
For all the effort we are putting into education, information and awareness, we’re just playing to the beat of our own drum. It’s a depressing realization.
I attended a retail technology conference in New York at the beginning of this year. It was here that this sad reality dawned on me. I sat in session after session, listening to retailers from the world’s biggest brands talk about how big data, artificial intelligence and the internet of things are evolving the retail industry exponentially.
Through all the discussions of how technology can and will progress retail, there was zero acknowledgment of any potential security – or even privacy – implications.
It was a huge wake-up call.
I’m not saying cybersecurity doesn’t get its moment, but it tends to be just that – a moment
Our industry is in a bubble. Sure, it’s an increasingly huge bubble, but it’s a bubble nonetheless. Within our bubble, we all totally understand the challenges that we’re facing and we’ve actually got pretty good at articulating them – to each other. What use is that? We’re preaching to the converted.
Having said that, it would be ignorant to ignore that progress has been made in our industry’s outreach. My colleagues and I have been on national news multiple times over the past year discussing cybersecurity events that have made front-page headlines.
During the WannaCry saga, cybersecurity was a hot topic. When the Uber breach made headlines, friends and family quizzed me on data security. I’m not saying cybersecurity doesn’t get its moment, but it tends to be just that – a moment.
During the Uber breach ‘moment’, my friend – a black cab driver – messaged me to ask, very hopefully, whether the breach would affect Uber’s business. I had to tell him honestly that in all likelihood, within a few days when the headlines subsided, so would their customers’ complaints and dismay. I’ve tried and failed to find data on how many accounts were deleted as a result of the breach, but I suspect it was very few.
So why does the world – outside of our bubble – tune out after that moment, if they were, indeed, tuned in at all? I guess it can partly be attributed to not wanting to hear about a subject that exclusively delivers negative headlines. Perhaps though, it’s also down to the way those stories are delivered.
We’ve got so good at talking to ourselves that we use language and acronyms that only those in ‘the bubble’ would comprehend. How can we expect the rest of the world to tune in to something that is almost impossible to understand?
Retail is an industry that is brand new to me, and in the last few months I’ve attended a couple of events. I can walk into the conference sessions, digest the information being presented and understand every word. There is no way the same would be true of someone entering the information security industry for the first time.
There’s absolutely a time and place to showcase technical capability through technical vocabulary and talking the ‘techie’ talk
I get that information security is largely a technical discipline, so there will inevitably be terminology that is niche. That doesn’t mean that we can’t learn to articulate that better – to our business colleagues, to our boards, to anyone and everyone outside of our bubble. If we’re talking a language that people can understand, they’re more likely to listen.
In our cover story this issue, Kathryn Pick tackles the controversial topic of diversity in our industry with remarkable skill and candidacy. I truly believe that the key to improving diversity in information security is in the way we present and market ourselves as an industry and as a community. A huge part of that is how we talk and how we communicate both inside and outside of our bubble.
It doesn’t have to be mutually exclusive though. There’s absolutely a time and place to showcase technical capability through technical vocabulary and talking the ‘techie’ talk. There are multiple conferences built for this very purpose. I guess what I’m saying is: don’t suppress geek! Instead, be conscious of it, be self-aware and know when to break out of that bubble and talk in a way that will make everyone listen.
For those of you making the annual security pilgrimage to San Francisco for the RSA Conference in April, we can’t wait to see you there. The magazine will be on stand 5100 in the North Hall, so please do swing by to see us.