Communication is vital to all aspects of life and business, especially when it comes to cyber security. I consider having solid communication so important, that I would go as far as saying it isn’t possible to have an effective security program without equally effective and high-quality communication.

Here are some common symptoms and risks associated with poor communication or complete lack thereof:

  • Delayed (or lack of) response to security events
  • Personnel following inconsistent procedures
  • Shadow IT (people doing their own thing, buying their own tools without leadership visibility or being supported by IT)
  • High volume of support tickets for the same item
  • Appearance of team/departmental silos
  • Lack of visibility into key processes
  • Lack of visibility into your IT environment
  • Personnel feeling unheard or unfulfilled
  • Personnel expressing frustration around lack of clarity and communication (obvious right?)
  • Security or operational issues go unaddressed
  • Technical debt is created when important decisions are made based on limited information and scope of understanding
  • Lost energy from duplicate work performed by teams not communicating

The list can go on and on and I am sure you could easily add items that I didn’t include.

The good news is that communication is something that can always be improved, with leadership support, team buy-in, and legitimate effort!

I recommend starting with the following steps to evaluate the quality of communication at your organization and evaluate how to create tangible improvement.

1. Foster a culture that values open and respective communication

This one can be difficult. People don’t usually share constructive criticism unless they feel safe. So even if you start listening, the data you get will not be of immense value unless your people feel safe sharing their frustrations and dreams with you. This is not something that changes overnight, but something to continually strive for – and it starts at the top of the organization.

2. Listen to your people

You hired them for a reason, more often than not, your personnel will have a different perspective than you on how well the organization is communicating. Listen to them. Hold more one-on-ones, town halls, anonymous surveys. Make it known that the organization is seeking to improve communication and that leadership is truly interested in breaking up silos to better support inter-team communications. As you work through this process, listen more than you speak, ask for honest feedback as well as proposed solutions on how communication can be improved.

3. Act

This is where many of us fall short. We hold awesome focus groups, solicit feedback, and celebrate all the wonderful data we collected and then…life and business needs catch up and any communication reform we hoped to enact evaporate as Monday morning craziness takes over.

Don’t let this happen!

Gather the responses you receive, look for commonalities, and prioritize the challenges and ideas collected from your team. Enlist support from all levels of the organization and start working on communicating better. Communicate your plan to the organization. It is vital that everyone knows that leadership is following through and serves to further trust.

So, what does this ultimately have to do with cyber security?

In a healthy, communicating organization, news and experience are shared.

For instance, Jack from Accounting receives a phishing email that appears to be from Donna, his CEO. She's urgently requesting that gift cards be purchased, and the codes emailed to her as she is in an important offsite meeting and wants to use them as rewards for participation.

In an organization where communication is valued and encouraged, Jack would likely have received security training and feel comfortable asking his peers (or better yet, calling Donna on a known number) to ask about whether the email was legit. Jack would have contacted IT, knowing that IT would review, verify, and communicate a reminder to the entire organization to stay vigilant. In an ideal scenario, the phishing email would end up in quarantine with the Security team handling it, while the rest of the organization is reassured by clear communication.

Now, we know that the above scenario is far from being commonplace. It’s the direction we want to head. My dream for you is that you are either currently in a healthy organization that values communication and continually seeks improvement or that you come to realize you can be an agent of change. Work from the inside to break down barriers, foster trust, and help your organization realize everything that can be achieved simply by communicating better!