By: Shimon Brathwaite
February 28, 2022
How To Communicate With Technical And Non-Technical Cybersecurity Clients
By: Shimon Brathwaite
February 28, 2022
As a cybersecurity professional, you will deal with many different people in day-to-day business. Technical clients mean someone with a lot of knowledge on how computers and information systems work. Non-technical clients represent employees that are more focused on the business side and don’t have a wrong understanding of computers and information systems. Your job requires you to communicate with people on both sides of the coin effectively. In this article, we’re going to highlight some of the most influential stakeholders you will be sharing with, what their goals are, and how you can effectively communicate to avoid confusion, close more deals, pitch your budgets and progress your career.
Important Organizational Stakeholders
You will frequently be communicating with upper management. This includes everyone from middle management to the CISO, depending on the situation. Most of the time, you will be reporting on your team’s activities and providing them with information on performing. This will mostly be in the form of reports meant to be a Snapchat of the team’s performance. You may also need to talk to management about a cybersecurity incident or buy software or hire additional team members. For the most part, management will fall under non-technical clients.
As a cybersecurity professional, you will have to provide evidence during audits. For example, auditors will need information on what actions were performed, by whom, when, and want information regarding the company’s network architecture and security controls. In addition, articulating what technology is used within the company properly will prove that the organization meets the required standards. Finally, they can fall under the category of non-technical or technical clients because they may need information on how the technology in the business works.
End users are the company’s typical employees who use the technology within the company to do their job. During security investigations and potential hacks, you will have to interact with end-users in different capacities. It may be because they are under investigation; you need them to perform a specific action; or a massive communication to everyone in the company. End users are considered non-technical clients because you never provide them with technical information when you communicate with them.
Team Members and Contractors
When working with other cybersecurity professionals in an environment, you typically convert information regarding security issues. This will primarily be technical information that will help other people in the investigation, such as indicators of compromise, discussing software solutions, or additional information related to cybersecurity operations. Therefore, they will almost always be technical clients. However, the exception to this rule is when you are working in a cross-functional team where you may be working with people from a non-technical background because you need their expertise. In cybersecurity, some common examples are human resources people, legal advisors, or third-party vendors.
Dealing with non-technical vs. Technical clients
Speaking with non-technical clients
When dealing with non-technical clients, you want to emphasize the situation’s outcomes (the what), not the how. For example, if you have a cybersecurity incident, report what is going on to upper management. They want to understand the situation and the potential impact on the business. They do not care how the hack happened, don’t need to know what specifics of how the malware works, etc. Avoid details wherever possible and focus on high-level concepts focused on business impact.
When dealing with upper management, they are primarily interested in understanding what the team is doing, if it’s being done effectively, and how it can be measured. The best way to do this is to capture metrics that demonstrate your team’s performance. A common example of this is recording the average resolution time for security incidents. Metrics like this allow you to easily quantify your performance and convey it to management in an easy-to-understand way.
For auditors, the task is more straightforward, they will tell you what evidence they need, and you need to provide them with the information they require. This includes having good ticket records, saving emails, documentation, etc.
When dealing with end-users, you should focus on giving directions. You should only be contacting them if you need information, are required to do something, or be informed of some action that may affect you in the future.
Speaking with Technical Clients
When speaking with technical clients, the conversation focuses on the how. They need to understand the how of a situation. This usually means the inner workings of a system, technology, or software. These conversations need to be much more detailed and less business orientated.
When dealing with team members and contractors, you must relay whatever technical details are relevant to the task. This may be done verbally, but you will often be tasked with creating an SOP (standard operating procedure), which is essentially a step-by-step guide on how to achieve a specific task. The goal here is to provide enough detail that someone can understand precisely how the process works from start to finish.
When speaking with auditors assessing your company’s overall security controls, it’s best to use network diagrams. This is the easiest way to convey how the company’s infrastructure is set up and makes it very easy to visualize what security controls you have in place. However, when communicating with auditors directly, highlight how the controls work and contribute to the overall security and data privacy requirements.
Non-technical clients are stakeholders that don’t have a strong understanding of technology. In contrast, technical clients are stakeholders with solid knowledge and interest in knowing the details of the technology used in business. When speaking to non-technical clients, make sure to emphasize the “What.” Highlight what is going on and why it’s meaningful. When speaking to technical clients, the emphasis should be on the “how,” which means how things are implemented in the company, how the systems work, configured, and other low-level details that explain how the process in question works.