That all security professionals spent time having to explain what they want to do to lay people. And that doesn’t mean Information Technology professionals, who will understand many of the things you are describing.
No, you really need to learn how to communicate what you intend to accomplish, how you will accomplish it, and what it will involve to people who have absolutely no practitioner knowledge of InfoSec. Talking to people who don’t automatically know what packets are, a man in the middle, firewalls, malware and all the other things we take for granted would open everyone’s eyes.
You would have to find ways to explain what a SIEM is, why you need an MSSP, how someone’s credentials are compromised, and why that puts them at risk for financial fraud and identity theft. When you talk about whaling, spear phishing and social engineering, their eyes will glaze over until you explain it in ways they can understand.
How many of you ever have to do that? Very few. I wish you all had the opportunity to talk to “normal” people and explain what you do. It would make a huge difference for all involved.
Well said. Amazing that more IS professionals do not do this. How else can you convince business to do what is required to help them do their jobs securely? Otherwise all they see is money being thrown at mysterious acronyms with little to no idea of its effectiveness.
Most IS professionals live and work in echo chambers. They generally only have to explain what they are doing to other Infosec guys or, perhaps, some IT leadership. Maybe the ISO has to talk to people outside the IT organization, but other than that, not so much. And the Prof Services and consulting folks very often have little to no idea of what the life of that ISO is like.