Security professionals have many tools in their toolbox. Some are physical in nature. (WireShark, Mimikatz, endpoint detection and response systems and SIEMs come to mind.) Others not so much. (These assets include critical thinking faculties, the ability to analyze complex processes, a willingness—some call it a need—to dig in and find the root cause of an issue and a passion to learn and keep learning.) One such tool that’s often overlooked is, communication.

Regardless of where you are in your security career or what you do, you need to communicate with others, written and verbally. Sometimes to explain a risk or vulnerability to the business. Sometimes to explain why you need, or do not need, a new tool to management. Sometimes to explain the requirements of new functionality to developers. Whatever the reason, miscommunication can cause confusion, produce inefficiency and lead to frustration.

I will skip over the foundational aspects of good communication such as honesty, reliability, consistency, good grammar, excellent spelling and legible handwriting and instead jump to a few less-thought-of ideas which I have found to be roadblocks in my own experience.

Be succinct

I am guilty of writing 100 words when 10 will work. Of continuing to babble long after my message has been delivered. For me, it is primarily to ensure my message is coming across, that my audience understands. This tendency stems from a lack of confidence in my ability to communicate. People are busy, and the means of communication are inefficient. It can lead to confusion as well as watering down the message.

Say there is a vulnerability affecting Windows and Linux. You need to inform your management of the vulnerability. If your company doesn’t use Linux, then don’t bring it up. Do not go into the technical weeds of the vulnerability (Read more...)