SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

The Great Disconnect: Unmasking the ‘Two Separate Conversations’ in Security

When familiar security concepts carry unfamiliar meanings for different audiences, teams talk past each other without even realizing it. This silent disconnect weakens communication, clarity, and outcomes.
Cybersecurity Conversations

It is often the case that I witness a conversation that is actually two separate conversations. What do I mean by that? If you are an astute listener and observer, you have probably noticed how often two people are having two completely different conversations. 

It is seldom the case that either person realizes it, and thus, more often than not, people have difficulty communicating effectively with one another. Quite simply put, they are not having the same conversation.

To help illustrate what I mean, let’s work through an example. A few weeks back, a colleague and I were reviewing and editing a presentation together on a video call. On one particular slide, I provided some feedback verbally, and my colleague’s response did not seem to fit the feedback I had provided. After a few moments, I realized the issue. I was speaking to a specific comment on the slide that I had written the day before, whereas my colleague thought that I was addressing the slide as a whole. I had assumed that he realized that I was addressing the written feedback that I had already provided. He had assumed that I realized that when he loaded the slide, his intent was to address the slide as a whole. Once I realized that we were having two completely different conversations, I explained that I was addressing the written feedback I had provided. It was at that point that the conversation began to go far more smoothly – my colleague and I were speaking the same language at last.

In security, there is a lot that we can learn from this example and this concept as a whole.  How many times do we find ourselves speaking in a completely different language than our audience understands? How many times do we think what we are saying is clear and explicit only to discover that it was exactly the opposite? Indeed, this challenge has harmed us as a profession for many years, and unless we learn to compensate for it, it will continue to harm us for many years to come.

While not an exhaustive list, consider a few common topics where having two separate conversations can make it extremely difficult to communicate:

  • AI Security: Lots of us are talking about AI Security these days, but if we are honest with ourselves, do we always have a firm grasp on what, specifically, we are talking about? Are we talking about introducing AI in specific areas to improve security operations? Or, are we talking about securing and protecting AI functionality that has been introduced into applications?  Perhaps we are referring to the important governance and compliance groundwork that needs to precede AI deployments? Any of these are possible, of course. Beyond these initial questions, for each of them, there are more contextual questions around specific use cases covered and their unique requirements. As you can probably already see, if we are in a meeting, at a peer group meet-up, at an industry event, or elsewhere, and we find ourselves debating AI Security, it is quite helpful to understand what exactly we are discussing. Otherwise, we are all likely to be having different conversations, and we won’t be able to hear or understand one another.
  • API Security: API Security is another oft-discussed topic.  As you are likely aware, it is also a fairly broad topic that could be referring to a number of different areas, such as: building security in/shift left, preventive controls, vulnerability scanning, sensitive data exposure, shadow API discovery, runtime protection, detective controls, and others.  API Security may also refer to the operational security function encompassing all of the above areas, and it could possibly refer to the process of integrating API Security into the existing operational security workflow. The bottom line is that API Security can mean a number of different things.  If we are to have any chance at having the same conversation, we’ll first need to understand what specifically we’re interested in discussing.
  • Executives/Management: For many of us that work in security, we may take a certain baseline level of knowledge or experience for granted. We also may tend to focus on things that are important and relevant to us, rather than what is relevant to our audience. This is often seen quite acutely when security professionals try to discuss topics with executive and management audiences. Those audiences are primarily interested in risk to the business in the form of loss of revenue, loss of customer loyalty, increased costs, regulatory and compliance issues, legal and disclosure issues, strategic/long-term risk to the business, and others. Thus, when we speak to these audiences about security priorities, issues, or asks, we need to understand where they are coming from and map our talking points into their frame of reference in order to speak the same language. This is easier said than done, of course, but the security professionals who do it well are generally far more successful at securing the resources, support, and recognition they are after.
  • Stakeholders: Security is increasingly becoming a mission critical business function. As such, the security team most often gets a seat at the business table these days. While this is a good thing overall, it also means that security professionals need to learn the language of their stakeholders in the business. That stakeholder support is so critical when it comes to accomplishing security goals and improving the business’ security posture. And when security professionals and business stakeholders are having two completely different conversations, it can be very difficult to secure that support and make progress.

Communication is an art. It is also a skill that takes work and practice to improve. Yet it is worth the investment in time and energy, as effective communication can be the difference between a good security program and a great one. Having a different conversation from those around us holds us back in the security profession. If we learn to identify when we are not in the same conversation and adjust, however, we can move forward as a field.

Related: Why Sincerity Is a Strategic Asset in Cybersecurity

Advertisement. Scroll to continue reading.

Related: Rethinking Success in Security: Why Climbing the Corporate Ladder Isn’t Always the Goal

Related: Actions Over Words: Career Lessons for the Security Professional

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Field CISO at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
On-Demand

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

Webinar: Third-Party Risk in Practice
June 4, 2026

Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.

Register

People on the Move

Rapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.

Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.

CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.

More People On The Move

Expert Insights

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.