Much of today was spent leading a workshop session for product management people on the subject of security and risk. The session went well and one particular point of feedback resonated: it was commented upon that the perception prior to the workshop was that it would be a day full of technical jargon for a technical audience and consequently attendence was under some duress. So, the person in question was pleasantly surprised to find that the topics were discussed at an easy to understand non-technical level and more suprised to actually learn something and take away some useful information.
Now – and hold on a moment while I get my soapbox out for this bit – talking up to non-technical stakeholders is pretty essential in my opinion if we want to ensure that security and risk are understood at a senior level. It’s where soft communication skills win over hard techie talk and I’ll be the first to admit that this is something that takes time to learn. I can chirp on all day about encryption algorithms, cross site scripting and denial of service attacks, and just watch the audience all reach for their blackberry’s simultaneously at only the third mention of the term “regulatory compliance.” What is wanted is some plain talking, business orientated discussion. In other words: here’s the problem, here’s a solution, this is how much it’s going to cost.
So, right here and now I’m kicking off my personal campaign for clear talking. No jargon, no technie twaddle. If we want to win the business over when it comes to security and get the right messages across, then clear talking wins the day!