58 58 correctly predicted forecasts
Send me real-time posts from this site at my email
Malcolm Graham

Cyber geeks are going to school to become less nerdy

When Darrell Keeling learned the hackers who stole millions of credit card numbers from Target in 2013 cracked its network through an air conditioning vendor, he wanted to make sure the same thing didn’t happen to his company, Jack Daniel’s whiskey-maker Brown-Forman.

He found himself outlining a strategy to secure 14 stores and more than 150 retail websites for top executives — only to learn that they didn’t know how Target TGT, -0.36% was cracked in the first place.

So he backtracked, explaining how everything from soft drink machines to heating, ventilating and air conditioning systems are connected to the Internet before detailing his security plan.

Keeling, and information security leaders like him, are hired to keep hackers away. But before they can do that, they face another challenge: getting their message across. As companies battle the increasing threat of cyberattack, security leaders are moving into the C-suite, briefing boards and the public on high-stakes breaches.

“Looking back, I wish I would’ve taken more of a higher-level communication approach…something the business could actually interpret and digest,” Keeling said.

Dropping the nerd talk isn’t always easy for people with technical backgrounds. But breaches can hurt a company’s reputation and business, and security heads are increasingly thrust into the spotlight when criminals break into their company or a competitor. It’s also harder to convince a board or chief financial officer to give you more money for technology or staff if you can’t explain how it’ll help.

Just one-third of IT and security executives say they think their boards actually understand them, according to a February survey by Bay Dynamics, a San Francisco-based security analytics company. While two in five feel they give the board actionable information, 63% say conversations with their boards don’t improve security.

Part of the problem, experts say, is that security people don’t have experience translating their work to outsiders because in their daily work with staff and vendors, they don’t need to.

Carnegie Mellon University is trying to help cyber pros make that transition. Larry Kamer, a crisis communications strategist who has advised companies including Nike NKE, +0.95% General Motors GM, -2.88% and J.P. Morgan ChaseJPM, -1.94% teaches a course on translating technical jargon and developing communications plans as part of the school’s chief information security officer certificate program.

“These men and women are coming from a world where the more technical expertise you have, the more jargon you speak, the more credible you are,” Kamer said.

He offers four simple tips for cyber pros: Cut the acronyms, define everything, avoid military language — don’t call your security plan “countermeasures” or the risks to the organization “threat agents”— and don’t make assumptions about what people already know.

The six-month program, which took its first class in 2013, now runs in the fall and spring with 16 to 20 students in each class. The students, some of whom already work as chief information security officers, complete most of the curriculum online.

They visit the school’s Pittsburgh campus at the start of the program for orientation and return at the end for final presentations, running through how they would respond to breaches with technical plans for forensics committees and information for mock boards.


A cyber attack crippled the electronic database at Hollywood Presbyterian Medical Center in February, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

Keeling, who now runs security for the Dodgeville, Wis.-based clothing company Lands’ End, is also an instructor in the Carnegie Mellon program after completing it in 2014. He says students are often surprised to learn that once they get in front of corporate boards, they may only have a few minutes and a handful of PowerPoint slides to get their points across.

Getting off to a bad start, he said, can derail a critical presentation. “You’ve lost them from the beginning because their mind is going, ‘What is malware?” Keeling said. “Give them a definition of what malware is and how it occurs. Don’t assume. Boards are full of intelligent people, and they’ll let you know if they’re OK.”

This story was first published on March 3, 2016.

More from Priya Anand