Matt Kelley


Bridging The Communications Gap Between Technology And Business

In this quarter, my fourth article for G&L, I want to focus on communications between business units, specifically what’s happening – or not – with business leadership and Information Technology and Security. I have attempted to touch on this subject in my previous contributions, but simply don’t believe that I did it justice.

In this edition, I rely quite heavily on the work of the fantastic Claire Tills, a communications researcher that focuses on information security. Her work, including case studies of specific incidents, can be found on her blog,, and she is also very active on Twitter, @clairetills.

The ability to communicate is often taken for granted, particularly when conversing with peers within your industry – at least at the macro level. If you were to take a look at one of the biggest roadblocks to the efficient functioning of your own organization though, you will likely find it is clearly communicating requirements and expectations between business silos, such as IT and marketing or the executive teams.

What are the root causes of this problem, and how can we identify them and resolve the issues?

More importantly, what are the real-world, long-term ramifications of this lack of understanding? What happens if the status quo is allowed to remain?

One example of this would be during budget discussions with your IT or security departments and CEO or CFO. The C-level might talk about the state of the business and how that impacts the technology budget, specifically referencing EBITDA*. Does your technology management staff understand that term and what it means for the business? If they have a look of glazed stupefaction, it is not a lack of intelligence, it is a matter of context and language. If they are provided those things, they are able to incorporate those concerns into their overall strategy and how they operate on a day-to-day basis.

*For readers unfamiliar with the term, EBITDA is Earnings Before Interest, Taxes, Depreciation and Amortization. It provides an indication of business health.

Another example, from the other perspective, would be that of improving the company’s information security profile through a new firewall. The security administrator identified a need and submitted a budget request. Management assessed the cost versus benefit and approved it up the line. When it gets to the CFO, do they know what they are looking at? Do they know the risks associated with the project, for both approval and disapproval?

These are just a few instances where communications can either hinder or help the efficient operation of your organization. Business units that understand clear goals and requirements are better able to achieve them. An executive who has a working context of IT and InfoSec operations will be more likely to see beyond the perceived budget sink and work with those teams to address critical needs.

Now that we see that there is a problem, how do we begin to address it? Here are three options with varying degrees of practicality:

  • Wait for science to create or find the mythical Babel fish, found in Douglas Adams’ iconic Hitchhiker’s Guide to the Galaxy series.
    • Current estimation of general availability: don’t hold your breath.
  • Send all of your executives and IT staff to Ireland to kiss the legendary Blarney Stone, which has apparently been the key to my own success.
    • Results may vary, consult your local leprechaun for terms and conditions. (see below)
  • Expend the time and effort to provide education and familiarization, both for business and technology.
    • Difficult, but attainable.

Assuming that none of you are quarts deep in Guinness or Jameson, the third option seems to be the most feasible to achieve.

How do you make that possible, especially between those units that use terms and industry jargon that are unfamiliar? As a systems administrator may be clueless about EBITDA, a CEO may not know the importance and effectiveness of application whitelisting or that crypto actually means cryptography. Another layer of complexity can be the hyperbole found in sensational industry articles that may not adequately discuss a topic, potentially providing misinformation or improper context.

One thing I have tried to stress in my internal work is common language. It is imperative that all parties know not just the definition of a term, but the accepted context in which it is used.

From A Blog Entry By Claire:

“Speaking the same language as your audience is important. In most cases, you’re already speaking the literal, high-level language of your audience, but it’s a lot more nuanced than that. Language at a lower level is one thing that trips people up on the way to understanding.”1

If we are capable of having open dialogues where the common language is understood by all parties, we have the ability to make significant, appreciable, improvements in our organization’s operation. Executives have a better understanding of what IT and InfoSec do, and those departments have a larger context in which to operate.

According to the National Institute of Science and Technology (NIST), their Cyber Security Framework (CSF) is meant to assist in this area.

“By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness and understanding between and among IT, planning, and operating units, as well as senior executives of organizations.”2

From my personal experience and perspective, an informed IT staff could very well be your secret weapon, capable of providing new insights and alternatives to complex problems.

As I have mostly focused upon information security in my previous articles, I would be remiss not to relate how a lack of effective communications can be detrimental to your organization in that area, including the potential long-term ramifications from a communications gap.

If we go under the safe assumption that it is a matter of when, not if, your business suffers a security incident, are you prepared for that eventuality? Do you have an incident response policy? Do the appropriate staff know about it, or even know how to find it? Will you be able to communicate internally, as well as to affected external parties, such as customers, regulators and partners?

This is where communication plays a critical role in your organization. Every business needs to be able to function during a disaster, but can you do that when there is a gap in understanding?

Claire maintains a theme in her blogs about how companies react and communicate in response to incidents, but one in particular references a company using a familiar script. The context of that blog post was relating to external parties3, but it is possibly more relevant internally, something that your incident response team should be using.

I talked to Claire about some of these themes and issues, and she provided some really good insights, especially from a communications perspective.

In regard to the idea of language, she says that: “A solid shared dictionary/lexicon is critical, but it takes a long time to establish and a lot of relational work. The best way to achieve this is for the teams that need the shared language to work together for a while so they’re all humming along when the proverbial stuff hits the fan. It’s hard to course correct once a crisis is happening, but that’s also frequently the first time many teams are working together closely. Especially with public relations, it’s always going to be a struggle to unify the lexicon. They have a set dictionary they’re working from that aligns with journalism and professional writing that doesn’t align with technical language a lot of the time. They’re also trying to speak to specific audiences with their own dictionaries. It’s a complicated web of language!”

As many of us struggling to get our vendors and partners to understand requirements, we can probably wholeheartedly agree.

When asked about internal communications scripts, sometimes referred to as a playbook, she said that she hasn’t seen much evidence of them in the real world.

Kissing the Blarney Stone and Consulting My Local Leprechaun for Terms and Conditions

“I’ve seen teams scramble to pull something together – when they remember that internal audiences need information too. Internal communications are frequently forgotten or are a low priority. I think having a script or starting point is always helpful – even if it’s just to remind you that you need to do a certain thing at a certain time.”

When we discussed the impact of security breaches, of which we have seen many recently, she stated:

“My favorite thing I’ve found in studying breach response is the varied reactions to every breach. It seems impossible to guess how the public, the media, InfoSec, Twitter, etc. will react. Sometimes it’s a pebble in a lake, and others it’s a tsunami of outrage. Along with that is how the different types of incidents do (and sometimes don’t) change the public outrage. People are far less outraged when a company experiences a ransomware attack versus other incidents, they’re almost sympathetic.”

With those thoughts in mind, how are you and your organization going to prepare for the inevitable?

My last question for Claire on this subject was a single thing for executives to know about technology or security.

“One thing for executives is hard. I’d have to say that technology, especially cybersecurity, is complicated, and oversimplifying things doesn’t do anyone any favors. Nuance is critical and you have to think the best of your audience, don’t assume they’re Luddites.”

Communications can be complicated. It is up to us, managers and executives, to find a way to bridge the varied business areas. Through the use of a common language and open dialogues, our organizations will be much better positioned to address future demands.

Matt Kelley, CISSP, is the IT Manager for a Tribal organization that supports Gaming and Government operations. He is also the co-founder of Korr Group, a business venture that aims to improve the Information Security of small businesses and nonprofit organizations. Matt started out in the infrastructure side of technology nearly 20 years ago, and has found his calling in Information Security, specifically GRC. To stay current with Matt, he can be followed @kelley12matt or on his blog at Contact Matt.