In my previous post, I outlined why I feel the lack of good conversations between security practitioners and other people in their organisations leads to poor outcomes. A crucial part of the challenge is the need to truly develop a dialogue both parties need to listen to the other.
“This one is so important that I will elevate it to a rule: Listen first, speak last.” From Peter Drucker’s list of effective executive practices.
Listening is a skill. Everyone thinks we know how to listen because we have been doing it all our lives but for many listening is merely waiting politely for their turn to talk (I have been guilty of this in the past) and deliver a diatribe or discourse. For a dialogue where both parties engage on an issue, understand the constraints and opportunities and agree on a path forward it is necessary to fully understand and incorporate the concerns and position of the other party.
An improvement on just waiting for your turn to talk is reflective listening; this is a technique where you listen to what is said to you, and you replay this back to the speaker. Reflective listening encourages the speaker that you have heard what they are saying. However, there is a danger that you merely parrot back to them their words without taking account of their meaning and import. This repetition without understanding can lead to later conflict when the speaker assumes that a reflective listener agrees with them and will act accordingly.
The goal of effective listening that supports a good conversation is active listening. This technique is where you hear what is said, you attempt to understand the meaning of what is said, and you use a combination of paraphrasing, summarising and considered questions both to confirm your understanding is correct and to communicate to the speaker that you care to understand their meaning. A genuinely effective active listener understands the speaker to the point that they empathise with them.
Active listening is a skill that can be learned like any other but few have been taught. The first few times you try active listening it can become overwhelming combining both hearing what is said with trying to understand and discuss the meaning while keeping track of your points of concern. It would help if you also were careful that your active listening appears sincere and not challenging, paraphrasing and questioning everything a speaker says is exhausting and challenging for both of you so focusing on where your understanding is weak or the speaker appears to be placing specific emphasis is useful.
There is no easy path to achieving active listening. It is obtained both from a desire to achieve better communication and ongoing practice, but the benefits are clear. You establish a better rapport, and you internalise a different perspective of your organisation’s issues and drivers, both of which will make you more effective in protecting the broader organisation and influencing the management of security risk by other stakeholders.
One of the challenges we can face is that the other party to the dialogue are not themselves using active listening and we can become frustrated that our efforts are undercut by a lack of real engagement by our counterparts. I would argue that we need to make the first move, we need to improve how security as a community and discipline engages first and be the example to our peers and counterparts. If they genuinely do not respond to the change in communication levels then as with so many organisational culture challenges it may be time to take our skills and experience elsewhere. There are no magic solutions either to security risks or to effective communication, but we can improve, that is in our control, and if we care about protecting our organisations, we must improve the security conversation.