No matter the years of experience in cybersecurity, we’re often in situations where crucial details are missing. Yet, we often hesitate to ask questions because we don't want to appear ignorant or don't know what to ask.
In Part 1 of this three-part series, we looked at four ways to use questions for discovery activities related to security projects. Part 2 delineates how to use questions to succeed with cybersecurity planning activities and review several examples.
In cybersecurity, planning activities involve tactical and strategic ways of strengthening the security program. This includes establishing the program’s goals and addressing risks related to vulnerabilities or non-compliance.
Let’s explore an approach to asking questions that strengthens such efforts.
Security teams support multiple stakeholders and often rely on others to address risks. Asking questions can help with such collaboration. But how might you strengthen these questions to increase the chances that the other person reacts favorably?
Let’s look at this question, for example:
When will you design a way to minimize the data exposure of the application?
The person hearing this question might feel attacked. They might also not know what to do, because the current phrasing puts the full burden of alleviating the situation on them.
Making others responsible for a challenging task without making them feel supported might delay their action or lead to suboptimal results. While you shouldn’t take on the work if it’s not your responsibility, it’s useful to signal that you’ll offer support where necessary.
Collaborative framing is the idea that you should phrase questions so that others understand that they have a role to play in addressing the subject matter while making them feel that you will participate in an appropriate way. One way to do this when jointly tackling a challenge is to start the question with, “How might we.” This approach, described by Nielsen Norman Group, leads to “creative solutions while keeping teams focused on the right problems to solve.”
You can use the “How might we” approach to rephrase the earlier question about data exposure like this:
How might we design a way to minimize the data exposure of the application?
Such collaborative framing of the question makes others feel included and supported in addressing the risk.
Avoid Asking Too Narrowly
What might be problematic about the following question, which looks for a way to address a security issue?
How might we train people to not click on phishing links?
This question uses collaborative framing, which is great. Yet, the question might be defining the problem too narrowly. Is clicking on links the underlying issue, or are we trying to address the broader risk of phishing attacks? By being overly specific, the question limits the possible solutions it might help generate.
Since training the people might be just one aspect of the problem, one way to broaden the framing of the question is to ask:
How might we mitigate the risk of phishing attacks?
The rephrased question can lead to solutions that involve not only training, but also email filtering, browser security controls, and other measures that the original question could’ve missed.
On the other hand, sometimes questions can be too broad, failing to define the scope or priorities. For example, asking “Are our laptops sufficiently secure?” might not support a constructive discussion unless you clarify what “sufficiently” means and what constraints might affect the solution. To address this, consider including more details in your question or breaking it down into several specific questions.
Takeaways for Planning Questions
As you reflect on the ways in which you can ask questions that support your planning activities in cybersecurity, keep the following in mind:
- Use inclusive language, with words such as “How might we,” to share the sense of ownership and express support
- Be mindful of preconceived assumptions when forming the question
- Broaden the question’s framing for creative solutions
- Include detailed, specific questions for proper coverage
Watch the recording of my recent RSA Conference session on "How You Can Ask the Right Questions to Succeed."
Stay tuned for Part 3. In the meantime, explore Life as a CISO to gain insights into all things security.