Explaining Your Progress to Clients or Colleagues

Your non-security colleagues or clients probably have a hard time telling whether you are doing your job well, unless you interact with them on regular basis. After all, they probably don’t understand the intricacies of your work, which makes it hard for them to judge its quality. What can you do about it?

Out of Sight, Out of Mind

As I wrote earlier post, people who don't understand a specialized skill set estimate the value they receive by assessing the effort (usually time) that goes into the project. Nowadays many employees and consultants work remotely; this makes it harder to know how much people have worked on a given task. This can lead colleagues or clients to assume that the person wasn't working hard enough.

The solution to this challenge may involve meeting with the relevant people more often by phone or in person. In addition, we should put effort into providing regular status updates electronically regarding both the tasks in progress and recent milestones. (At the same time, we must be careful not to spam people or annoy them with numerous unnecessary calls.)

Posters in the Subway

Consider an example from the world outside of information security:

New Yorkers were grumpy about the apparent lack of improvements in the city's transit infrastructure. The Metropolitan Transportation Authority (MTA) was asking for additional funding and planned to increase fares; yet, the riders and policy makers didn't understand how the existing money was being spent.

Back in 2010 MTA responded with a PR campaign to highlight the improvements it was making to subways, buses and bridges. The advertisement posters, extolled the hard work of MTA employees and included the tagline "Improving, non-stop." New Yorkers remain grumpy about the transportation system, but perhaps the campaign achieved at least the organization's objectives of casting itself as a competent organization that continues to improve within its budgetary confines.

What You Can Do

Consider whether your organization, department or self should launch a "PR campaign" to make sure that your colleagues or clients understand the work you do and how they benefit from it. Companies use similar tactics as part of a security awareness program or overall marketing campaigns, so this shouldn’t be a completely unfamiliar effort. Who knows, maybe some day you'll be receiving thank-you cards from appreciative admirers of your work.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more