No matter the years of experience in cybersecurity, we’re often in situations where crucial details are missing. Yet, we often hesitate to ask questions because we don't want to appear ignorant or don't know what to ask.
This three-part blog series delineates how to use questions to succeed with security projects. I’ll explore three types of activities — discovery, planning, and persuasion — and review several examples.
In this post, we look at discovery.
In cybersecurity, discovery activities include gaining situational awareness for a new role or project, assessing security measures, understanding business requirements, investigating an incident, and more.
What questions might come up during these activities, and how should we pose them? Let’s explore an approach to asking questions that boosts such efforts.
Finding the Right Words
Sometimes it’s hard to find the words that not only express your ideas, but also resonate with the other person. Let’s say you’re reviewing the security posture of an organization. How would you determine whether the following is a good way to pose the question?
Which controls support ISO 27001 annex requirement 8.2 for information classification?
To determine whether that’s a compelling question, ask yourself:
- Is your audience familiar with requirement 8.2?
- Will the person understand the terms ISO 27001, controls, and annex in this context?
- Will the use of ISO and security jargon freeze the person into inaction?
Phrase your questions using words that your audience understands. When unsure, start with an open-ended question like:
Please tell me about your approach to classifying information.
Answers to open-ended questions will reveal how familiar the person is with the subject and shape your follow-up questions. Open-ended questions might also prompt the person to share information that you wouldn’t have known to request.
Where to Begin
Decide whether to start with an intrusive or a gentle question. Harvard researchers Alison Wood Brooks and Leslie K. John discovered that “people are more willing to reveal sensitive information when questions are asked in a decreasing order of intrusiveness.”
However, “if the goal is to build relationships, the opposite approach — opening with less sensitive questions and escalating slowly — seems to be most effective.”
Consider the following question, asked when starting to respond to a security incident:
What do we know so far about what happened?
This question might be right for some incident response situations. In others, the audience might be too overwhelmed to answer such open-ended questions. They might also lack the expertise to organize their answer or know which details to provide. If you find the answers are insufficient, be ready to offer guidance, perhaps in the form of a checklist.
Checklists can help in stressful situations and prevent “creative” interpretations of your questions. As an alternative to the previous question, consider:
Let’s go through this checklist to organize the details we’ve learned about the incident so far.
Coming into the situation with prepared questions can help, but it’s not enough. The key to an engaging interaction is often your follow-up questions. Consider the advice of Dale Carnegie from his book How To Win Friends and Influence People:
“If you aspire to be a good conversationalist, be an attentive listener. To be interesting, be interested.”
Simply asking questions from a list prepared in advance is often insufficient because this practice doesn’t allow you to demonstrate that you’re paying attention to the other person. Adjust your questions to the situation. Listen to form the right follow-up questions so your audience knows that you’re paying attention.
The Importance of Tone
The tone in communications refers to the way they make the other person feel. With that in mind, consider what aspect of the following question might be counterproductive:
Why have you failed to follow server hardening requirements?
This question seems very aggressive. The listener will feel threatened and become defensive, which is probably counterproductive. The word you in that question amplifies the perceived attack.
It’s generally more constructive to focus the attention of the question not on the person but on the situation and the desired outcome. For example, we could rephrase the original question:
The server’s configuration doesn’t meet our security requirements. How might we address this situation now and prevent it in the future?
Now, the person is more likely to react constructively because they don’t feel directly attacked.
Takeaways for Discovery Questions
As you reflect on ways to ask questions that support your discovery activities in cybersecurity, keep the following in mind:
- Take the time to understand your audience to ask questions on their terms.
- Include open-ended questions in your repertoire. You might start with, “What do we know about the situation?” and wrap up with, “Is there anything I should’ve asked about but didn’t?”
- Embrace checklists for stressful situations and for minimizing wrong or incomplete answers.
- Be sure to listen to the other person’s answers and form meaningful follow-up questions, and demonstrate that you’re paying attention.
Watch the recording of my recent RSA Conference session on "How You Can Ask the Right Questions to Succeed."
Stay tuned for Part 2 and Part 3. In the meantime, explore Life as a CISO to gain insights into all things security.