Wednesday, January 6, 2010

Maybe this will help

I have had a few conversations recently on the topic of getting security messages to a wider audience, and the pitfalls that may bring. If we are too technical we lose the audience, if we generalize we may get called out by security pros for inaccurate or incomplete statements. This will always be a balancing act, but there are a few things I believe will help. These aren't original thoughts of mine, but I think they are good ideas which bear repeating.

First, there is a tendency to dumb-down content for non-technical people, and that is a mistake. Presenting information in a concise, or even simple, manner is fine- but don't dumb it down. I can describe the Internet as:

An interconnected mesh of networks and connecting links


A series of tubes

The former is not perfect, but is simple and concise. The latter is simple, and wrong. Most of the people we need to reach aren't stupid, they just aren't security pros, so we need to educate them- while accepting that they don't want to be security pros, they just want to be safe.

The second idea is that we need to define ourselves and our audiences before crafting and delivering our messages. I mean really stopping and thinking about our own background and perspectives, and then considering the audience's perspectives, goals, and expectations. Imagine you are going to talk about Fast Flux and Double Flux (165k PDF), if you are a network security engineer for an ISP and are presenting to an audience of peers you can safely skip an explanation of DNS, and you need specific details and examples in your presentation, generalizations won't be welcome and errors won't be tolerated. And if the presentation is good, many will ask you for copies of it so they can re-read and digest it later. Now imagine you are trying to explain the same concepts to a local ISSA chapter, you'll need to review DNS for the less technical folks and you won't want as much detail, and no matter how good it is there won't be too many people asking for your deck. If the audience is non-technical managers at work you will need to cover the basics and make very concise points; you get one shot, and no one is going to ask for your slide deck here.

And if the target audience is the general public, we need a distilled and focused message. Not stupid, not fear-mongering, no lies. But maybe a generalization, an anecdote, a story- as long as they are honest.

No matter who we are trying to engage, we need to understand our own perspective and we need to know our audience- and if there is a chance of confusion, we should make things clear. I'm not suggesting we need to preface everything with an explicit "intended audience" disclaimer, but sometimes it would be a good idea.

Go forth and enlighten the masses.