January 16, 2009

by David McCartney

 “It’s not communication unless the message sent is the message received.”

Wise words from my father. The quote may have originated elsewhere, but the words ring true. Too often, we fall into a trap where once we have “sent” the message, we expect that it was “received”. How do we know? Do we really *want* to know?

Can you hear me? Let me demonstrate:

Recently, my team was charged with placing a way to securely send emails to customers, clients, and partners. Additionally, the solution would need to scan the content and attachments for information the organization wanted to leave only in a secure fashion.

Once implementation was completed, marketing announced the arrival of the tool and how it could impact workflow, taking extra steps to give it a positive spin. To help reduce false positives, we passively monitored and modified settings as needed, then after a few months the system was activated and blocking began. We knew no system was perfect and occasionally communications are prevented that shouldn’t be, so we gave a method to bypass the secure mechanism. The message flow looked something like this:

  1. Secure device receives email and encrypts if requested
  2. If not requested, scans email and attachments for sensitive data
  3. If sensitive data found, blocks email from being sent and provides example to user showing how to send securely or bypass the mechanism if appropriate

Almost immediately, my team received responses from individuals with blocked messages calling the service “stupid”, “idiotic”, or “a waste of time”. Comments were sometimes followed by personal insults as well, even though they were sent to a distribution list with no specific personnel attached.

As I’d only recently joined the organization, I had an extremely difficult time not taking the responses personally despite the fact I had nothing to do with the secure messaging implementation. While I suspect the perceived disassociation of sending to a distribution list instead of more personal contact encouraged the comments we were receiving, it didn’t make them any easier to read.

However, after putting my feelings aside, I started analyzing what the users were trying to communicate and quickly discovered a common theme:

Despite being given an example in the blocked notification, users were frustrated because didn’t know how to use the bypass.

I began digging deeper, trying to figure out *why* the example, and hence the communication, was not effective. It turns out the automated response was extremely wordy, difficult to understand, and very passive-aggressive in regards to auditing and consequences. No wonder we received such heated replies!

I’m in the process of revising the automated response. In addition to making the information more concise, we’ll also being redirecting users to the Help Desk if they need immediate assistance. Once the Help Desk staff is trained on how to respond to their customer’s issues, I hope satisfaction with the secure messaging tool will increase greatly. If it doesn’t, I’ll wash, rinse, and repeat the analysis cycle again to find where the new shortcomings are. Because really, it’s not communication unless the message sent is the message received.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.