Effective communication stands as a cornerstone, often overlooked yet vitally important. As cyber threats become more sophisticated, the ability to convey complex security concepts in a clear, understandable manner is crucial. Cybersecurity is no longer confined to information technology (IT) departments; it has become a central concern for entire organizations, including top-level executives and non-technical staff. The gap between highly technical cybersecurity language and the comprehension of those who need to understand these risks and strategies is a significant hurdle.
Recently, the ICS Pulse talked to Leah Dodson of Nextlink Labs about the importance of communication in cybersecurity. The following has been edited for clarity. To listen to the podcast, click here.
ICS Pulse: We’re always interested in learning more about our guests. Could you share your background and how you transitioned from content creation to cybersecurity?
Leah Dodson: Certainly. My college major was in hospitality management, focusing on hotels and restaurants. At a certain point in my career, I was still exploring my options and considering what I wanted to pursue. I’ve always had a passion for writing and creating content. Eventually, I met someone involved in cybersecurity, more specifically an ethical hacker. This led me to attend DEFCON for the first time, where I encountered many fascinating individuals, some of whom specialized in penetration testing and program analysis. I noticed that many of these highly technically skilled individuals struggled to translate their technical knowledge into reports for C-suite executives. They found it challenging to present technical details in an understandable and actionable way for non-technical leaders.
I realized that this was an area where I could apply my writing and learning skills. From there, my interest in this field grew. I became deeply involved in DEFCON, serving as senior staff and working closely with speakers on their submissions and presentations. This experience enriched my knowledge significantly. I also engaged in hands-on activities in various villages at the conference, starting with lock picking, which was always enjoyable. This experience allowed me to understand the comprehensive scope of cybersecurity for an organization, encompassing everything from physical facilities to network security.
As I delved deeper, I discovered that my understanding of cybersecurity was more extensive than I initially thought. This is a common realization among those who frequently research and write on a topic — the knowledge becomes deeply ingrained. That was my journey. Now, as a principal cybersecurity specialist, I work with various organizations, notably in the fields of manufacturing, robotics and automation. Working with these clients has broadened my understanding of these industries. It’s intriguing to observe the parallels between the cybersecurity, manufacturing and automation sectors.
ICSP: Do you believe that being an effective communicator is advantageous in the field of cybersecurity? We’ve previously spoken with a guest who highlighted how cybersecurity can seem daunting, with its technical and math-heavy nature, making it appear complex. Do you think your approach of simplifying and communicating the essence of cybersecurity makes it more accessible?
Dodson: Absolutely. Cybersecurity can be intimidating because it’s unfamiliar to many, yet they recognize its importance. Translating technical aspects into a program that aligns with a company’s goals and specific requirements is valuable. I can take technical best practices and convey their significance from a programmatic perspective. This becomes particularly crucial when dealing with compliance regulations, such as CMMC, which is now a focus for DoD supply chain companies that may not have previously prioritized cybersecurity. They know they need to start somewhere, and having a well-structured program is vital.
ICSP: Not everyone has a Leah Dodson to help bridge that communication gap. What are some best practices for breaking down this barrier and guiding companies towards better cybersecurity?
Dodson: That’s an excellent point. We often emphasize the need for cybersecurity, but companies may not fully grasp the investment it entails, the necessary resources and how it fits into their organization’s scope. Do they just create a cybersecurity team and call it a day? Or is it a one-time initiative? Lesley Carhart, whom you recently interviewed, advocates for building a strong foundation. This starts with understanding your environment, including physical assets and human resources. A large cybersecurity team isn’t always necessary. Engaging employees — especially those on the shop floor who know their areas best incorporating cybersecurity into their daily operations — can have a more significant impact than imposing a massive cybersecurity initiative that disrupts existing workflows. Engaging your people is an excellent starting point.
ICSP: Once that communication barrier is overcome, and stakeholders can discuss cybersecurity more effectively, they might begin implementing various cybersecurity plans. How can organizations understand the return on investment (ROI) of their ICS cyber investments, particularly when considering the differences between IT and operational technology (OT) cybersecurity?
Dodson: It’s interesting that you bring this up. Currently, I’m immersed in a substantial reading list, and one of the books I’m going through is titled “How to Measure Anything in Cybersecurity Risk.” The reason behind reading this particular book is that translating cybersecurity risk into tangible financial implications can be challenging. I recently had a conversation with a company, and their concern was whether they would face any significant financial consequences from a cyberattack, given that it’s become almost expected in today’s world. They questioned if they would really lose business because everyone experiences breaches. Quantifying the potential losses resulting from a breach, understanding the severity’s impact on their company, customers, bottom line and employees can be a complex task. Viewing it through the lens of risk can be valuable, as there are various risks in business beyond cybersecurity.
When you consider risks like safety in the manufacturing industry, there are parallels with cybersecurity risk. In both cases, you want robust protection measures in place, ideally to the point where you don’t even perceive the need for them because they function seamlessly. It’s akin to that concept in movies where a secret group of heroes prevents catastrophes, and you never hear about the crises that never occurred. In cybersecurity, we aim to prevent incidents, and looking at it this way can be enlightening.
I recall a question from the audience during a panel discussion at FABTECH in Atlanta. Someone was grappling with how to convince their C-suite that investing in actual cybersecurity protections was more economical than relying on cybersecurity insurance. It was an intriguing question because I hadn’t previously considered this as a comparison the C-suite might make. However, nowadays, people often think, “We can just get insurance, and if something happens, it’s covered.” But this isn’t a sound financial trade-off, especially since insurance companies are increasingly stringent, demanding evidence of proactive cybersecurity efforts. The investment in cybersecurity must occur in a way that instills confidence in the protection it provides.
At a recent Automate show, we even contemplated developing a sample letter for companies to send to their customers in the event of a data breach. This letter would inform customers that their data had been compromised, outlining what might have been exposed and the uncertainty surrounding the attackers’ intentions. Seeing your own company’s name in such a context can be a powerful motivator for the C-suite, helping them grasp the real-world implications of cybersecurity breaches.