Start with Why

Like so many in cybersecurity, I started my career by diving into a variety of technical books. I read everything from Practical Unix and Internet Security to TCP/IP Illustrated and DNS & Bind. Having a technical foundation is critical for people in a cybersecurity career, but as that career develops, I’m seeing a growing need for soft skills as well.

From project planning and managing human risk to communicating and partnering with other departments and leadership, these soft skills are needed for a variety of reasons.  Two books that have helped me tremendously are John Kotter’s Leading Change and Dan and Chip Heath’s Made to Stick, but there's another one I'm ready to add to the stack.

I just recently finished reading another great book that helps to lay that same foundation. Simon Sinek’s Start With Why: How Great Leaders Inspire Everyone to Take Action nails a key weakness I’m repeatedly seeing in the security community - forgetting to address the WHY.

As a SANS Instructor and being part of the SANS STI faculty, I see highly technical and extremely talented individuals repeatedly make the same mistake.  When communicating to leadership or non-technical community, the cybersecurity community is very good at explaining WHAT we are doing, but fall short on explaining WHY we are doing it. This makes it difficult to understand why we fail to get any buy-in or support.  It’s not that we are bad at communicating the WHY, it’s just that we fail to even to attempt to communicate it. 

This is partly due to Curse of Knowledge, the concept that the more of an expert you are at something the worse you are at explaining it.  This is why I’m a huge fan of Simon’s book.  As a result of the book, you will have a far better understanding of WHY you have to explain the WHY, and how to approach it. 

While this book does get a bit repetitive two-thirds of the way through, Simon makes up for it with all of his stories and relatable examples.  The key takeaway for any security professional when explaining a technical solution, documenting a project plan, or preparing a presentation, always start with WHY this is important or WHY anyone should care.  Then go into the WHAT part.  Trust me (and Sinek). You will have far greater impact if you start with the WHY first.