SoCal Cyber Cup 2018:
Communication in CyberSecurity
One of the stated SoCal Cyber Cup Goals (see About the SoCal Cyber Cup) is to “foster a spirit of teamwork, ethical behavior and effective communications, both within and across teams.”
For the 2018 SoCal Cyber Cup competition, the top eight varsity teams were given a forensics challenge, a new element in the competition, that involved finding physical clues related to a mission. This communications component required teams to present their findings to a pair of judges. The presentation was scored by a technical judge and business judge, and the students were evaluated on how clearly and effectively they communicated their findings. This new component was added because communications, visual presentation, and delivery are all key elements and necessary skills for the business world.
As the Communication Lead, I was tasked to help establish the rubric for the communication element. I was qualified to serve in this capacity because I am both a Ph.D. student in Technical Communication and Rhetoric at Texas Tech University and a Technical Writer at ESET, a global cybersecurity company. I have published on cybersecurity topics in security blogs, online security magazines, and a peer-reviewed journal. My research is focused on how to effectively communicate cybersecurity information (for example: privacy policies, data breaches, and complex malware related issues) to people using a user-centered design methodology.
From talking with business leaders who work in cybersecurity, I have repeatedly heard how important communication is. I heard from a whitehat pentester on how much of his time was spent figuring out how to communicate the highly-technical findings to diverse stakeholders. I spoke with cybersecurity consultants about how cybersecurity communication was approached in the boardroom—namely, we need to use business language and present information from a business perspective. Business stakeholders expect executive summaries and with the current climate regarding cybersecurity, boards are now demanding formal presentations.
Why introduce students to communication in cybersecurity?
As the Communication Lead and forensics challenge judge, here I want to address the SoCal Cyber Cup students directly. Inevitably, there will come a time in your career progression when you will need to present your findings to a boss, or CEO and one of the best ways you will be able to share information is to communicate clearly to them on what you’re doing.
Communication is vital to cybersecurity. To help meet the Cyber Cup goals, we know that communication and collaboration are integral components for responding to cybersecurity incidents and sharing cybersecurity risk information. Moreover, collaboration has an invaluable role in the collective cybersecurity of the United States.
Some questions to think about: How can you conduct your research or continue to expand your influence with cybersecurity principles in a manner that protects the privacy and civil liberties of individuals; or that preserves business confidentiality; or that safeguards information being shared; and finally, that aids businesses and governments to protect the interests of citizens? These are some of the questions that will be part of the long-term education many leaders advocate in cybersecurity.
Governor Tom Ridge (Former Secretary of Homeland Security)stated that “people share more than they know” and that there is a role all people play in cybersecurity and privacy issues. You, as cybersecurity students and professionals, will be advisors to local and federal governments on cybersecurity policies, as well as advisors to business leaders, organizations, and local governments—how will you effectively communicate your knowledge to give agency to the people affected by dangerous and/or criminal elements, and what are you doing to stop them? How will you involve people in this conversation?
Real-world cybersecurity needs real-world communication
Imagine you are working on a cybersecurity-related issue—something no else has been able to figure out. A cybersecurity issue that affects real people and you know what to do to fix the problem or know how to help people defend against it. Most likely, you will be doing this as part of a job, meaning someone is paying you to do this. When you finish your work, at some point you are going to have to tell someone how you figured out this highly technical problem for your work to be applied to meet your goal—the goal of helping people with cybersecurity issues. So what are the two main elements to address here?
(1) Highly technical content, and (2) People.
The results of your work can’t be realized unless it can be communicated effectively and in the form that best meets the needs of the audience. You already have the desire and technical skills to meet this challenge, and this program will help you improve and refine your knowledge of cybersecurity. However, to meet the requirements established by the ISAO Executive Order as well as the goals for the Cyber Cup, I urge you to be mindful of the integral role communication holds for navigating the processes involved and organizational negotiations needed to meet the cybersecurity goals set out by this program. For these reasons, I am proud to be a part of the 2018 SoCal Cyber Cup.
Blog written by Fer O'Neil, ESET Technical Writer