Cyber Warfare – should we change our dictionary?

Recently Dr. JR Reagan, the Global CISO of Deloitte, said as an industry we “Talk in the Language of Battle” he’s right. Our dictionary of engagement and communication, was written during the cold war, when Armageddon was a real threat and battle language was appropriate. Now, our problems are very different, but our “dictionary” remains the same….

“Popular and regular topics” for industry thought leaders include:
Why aren’t there more “Women in Cyber”?
Why aren’t graduates flocking to our industry talent pool?
Why aren’t SME’s, one of the most “at risk” areas of our supply chain, engaging?

(ISC)2’s most recent Global Information Security Workforce Study said “women in the information security profession represent 10% of the workforce” – a percentage that is unchanged from two years ago.

Higher Education and Universities (specializing in coding skills), confirm that their most popular elective is game development. Students are not flocking to join our ranks – instead they choose skills that lead them to compete for jobs in an oversubscribed games industry.

50% of SME’s were attacked last year, 10% repeatedly, yet a recent survey by Barclaycard found just one in five SME’s see Cyber Security as a top priority. Only one in eight SMEs (13%) claim to be confident enough about cybercrime to protect their businesses. Typically, they are put off by jargon and industry speak, so report feeling confused or powerless.

Federico Fellini once said “A different language is a different vision of life” – he was a master film maker and understood the power of language, to engage (or disengage) a listener.
Thought leaders often talk about the “popular topics”, but few discuss the issue of “cyber languaging” – or that we may be sabotaging our own communication lines

So why as an industry do we need to communicate more effectively?
In this case the answer is simple, communicating effectively helps us build trust and engagement. Bob Burg, author of “Adversaries into Allies” said “All things being equal, people will do business with, and refer business to, those people they know, like and trust.”

I’d add the concept also works for whole industries and company recruitment too! Inclusive communication is the foundation trust and engagement.

Companies, even industries, whose values include “shared vision” have more recruits and better retention rates. The games industry (perceived as an open collaborative environment) has graduates aplenty. My own experience, in Titania, is that when we change our “dictionary of engagement” to match our audience, engagement increases by up to 300% (benefits have occurred in recruitment numbers, quality of candidates, lead generation and seminar attendees).

Could it be that simple? Is Cybersecurity’s military-style over complex languaging alienating women, the graduate pool and potential clients? Could many of our most popular, industry wide “problem topics” be solved by better languaging?

Joe Winn an advocate of accessible languaging within technology and finance certainly thinks so, he states “the average American understands what they read best when it is a 7-8th grade reading level” and that this level “does not reflect intelligence, rather, the degree of complexity (or lack thereof) to ensure your writing is understood”

Winn (who you’ll find on Twitter as @JoeCUGeek) also points towards reading complexity tools and examples from leading journalists and authors. Time aims for 9th grade. The New York Times, 10th. John Grisham, Stephen King, Tom Clancy, and many other bestsellers write at a 7th grade reading level.

So where does the average “Cyber Job Advert” rate, why do we need to simplify?

Here are just two “key requirements” taken from an advert on Indeed.com (there are many, many more just like this). Apparently this role in “Cyber Forensics” involves:

• Understanding, mapping and navigating complex IT environments, selecting and deploying appropriate techniques and tools to quickly triage a compromised environment and correlate data from multiple sources to evaluate the scope and impact of a breach.
• Supporting our customers in proactively planning for and defending against a variety of cyber threats using both commercial and custom technology and threat intelligence sources.

Using industry tools that measure “readability” gives us the following results:
https://readability-score.com/text/ The grade level estimate of the first sentence is 22, (16 or above is rated graduate or post graduate level content). The reading ease of the Cyber Forensics post, where higher is better and 60+ is a good aim, scored 1.5

Many of the great people who could do a great job in this role, just skipped past it to look at the Game Developer job on the next page – in that role you’ll be:

building high quality and fun games with a purpose. You will work closely with your game team, including other developers and designers to deliver a great player experience.”

The game developer job reads at grade level of 12.1 (Undergraduate or College text level) and has a reading ease of 53.6. The second selection is not only mathematically simpler to comprehend it’s also more engaging!

Here’s how the first role could’ve looked with a 12.2 grade level and a reading ease of 56.8

You’ll be working with a wide variety of clients, often with complex IT systems, in order to find and fix damaging security breaches. It’s a fast paced, vital role that helps them defend their data, reputation and income during an attack. Once their information is secured, you’ll then work with the client to understand who had access to their data, what the effect of that was and what they can put in place to stop it happening again.

So what do we need to do to fill our cyber skills gap, get more women in cyber and engage with SME’s?

We need to adopt a #BabelFish approach!

(The Babel Fish was an idea coined by Douglas Adams in “Hitchhikers Guide to the Galaxy” it’s practical upshot was “if you stick a Babel fish in your ear you can instantly understand anything said to you in any form of language”).

To better engage as an industry, we need become Cyber #BabelFish and use open and accessible language. We need to train ourselves to translate our “industry speak” – into language suitable to our listener….

Would an accountancy practice respond better to threat mitigation or risk reduction?

Could we help a non-technical person in a Healthcare Practice, understand the need for patching and antivirus better if we talked of strengthening their IT immune systems or inoculating against viruses?

A question answered….
The ideas above were proposed to recent attendees of my #CyberSecurityNow “Cyber Languaging” seminar (Alert Logic’s HQ, Welsh Festival of Innovation, Cardiff, June 2016).

The audience was mixed and included both recent graduates and security pros with many years’ experience. Most agreed that our language choices are a barrier to engagement and a lively discussion ensued.

Many people admitted that they still sneak off and Google acronyms and the graduates felt that things were more complex than they needed to be.

Together we harnessed the “power of the Post-it” and our initial thoughts were collected into three areas.
1) Words that we use as an industry that could block engagement (Cyber Language).
2) Those words translated into common or client led language (#BabelFish Translation).
3) What benefits we might gain as an industry in doing this.

These are the groups “off the cuff” responses, also interesting was the speed and activity around the “Cyber Language” answers (where there was more duplication), whilst the other topics created more debate and reflection.

There is clearly more thought to be put into this as a subject, but our military-style language seems to alienate women, the graduate pool and potential clients alike.
For Cybersecurity to work, we need people to feel engaged – so isn’t it about time we did something to change our dictionary?
Further Reading:
https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/2015-Women-In-Security-Study.pdf

http://fedscoop.com/does-cybersecurity-need-a-new-language

http://www.csmonitor.com/World/Passcode/2015/0216/To-attract-more-women-cybersecurity-industry-could-drop-macho-jargon

www.home.barclaycard/news/small-businesses-failing-to-protect-themselves-from-growing-threat-of-cybercrime.html

http://betanews.com/2016/06/21/smb-ransomware-resources/

http://credituniongeek.com/2014/09/09/kids-understand-darndest-things/