Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Getting To Yes, Cooperatively

As security advocates, determining what "beneficial" means to a particular audience should be our first step in developing recommendations.

Have you ever found yourself trying to convince someone to do something that you felt was clearly in his best interest, armed with overwhelming facts and supporting evidence, only to have your idea soundly rejected? Many people in that situation would throw up their hands in disgust and decide that the person was being completely unreasonable. But perhaps it’s we who are being unreasonable in our approach.

What constitutes a “Win”? I recently attended a panel session moderated by Dark Reading's Kelly Jackson Higgins at Black Hat where several distinguished women discussed their experiences working in different areas of information security. One story in particular contained a message that needs to be more widely shared: Katie Moussouris talked about her many attempts to convince people to start a bug bounty program at Microsoft.

Her first attempts were jam-packed with evidence that she thought was overwhelmingly compelling, so how could she possibly fail? But that’s exactly what happened for years before she rephrased her proposal not just in terms of data and logical actions, but in terms of how it would address specific problems with which her audience was struggling. Before she was even a small fraction of the way through her renovated presentation, her audience had already enthusiastically agreed to her proposal.

When I first started in security, I felt like “being secure” was a goal so obvious that if you could just make people understand how to perform the actions, they would simply comply. Why on earth would anyone not Web-filter their employees to keep them from surfing porn? Why would they use weak passwords or double-click dubious attachments? That’s just ridiculous and self-defeating! But as it turns out, I was naïve. There are people out there whose most important goals are along the lines of “responding quickly in an emergency,” “raising employee morale,” or “the free flow of information.” These goals are not necessarily contradictory to security, but it may seem so if these concerns are not specifically addressed in our educational pleas.

When we’re working in our capacity as security advocates – or just as people trying to convince others to do something we think would be beneficial – determining what “beneficial” means to our audience should be step one before presenting our suggestions.

Well, duh.
Asking people what they want may seem a pretty obvious first step toward convincing them to do something. And while it may seem obvious, it may also seem overwhelming or simply impossible, depending on the nature of the interaction with your audience. People’s concerns may be too broad, or something you can’t necessarily know before you start “talking,” like in the case of an article (not unlike this one!).

That’s where getting outside our usual comfort zone – and far outside the security or technology echo chamber – can be incredibly helpful. There are a variety of places in my own life I like to go to do this.

Non-security-specific IT conferences were a major eye-opener for me; I learned about some of the goals and problems of people trying to implement things securely in different types of businesses. Retail businesses are not like hospitals which are not like credit unions which are not like schools. They all have their own particular hurdles, their own particular types of interactions with customers, and they work at different paces. While I knew this intuitively, it is a very different situation when you’re seeing how sales are pitched or presentations are geared towards their IT staff.

Another thing I like to do is to engage people in conversations about how security measures affect them in their job. Yes, I’m that person who holds up the checkout line while cashiers ask me questions about EMV cards. My dad likes to remind me that even my most jargon-free articles still need to be “translated” into simpler English in order to be useful for his clients in a small town. I recently needled my new allergist into telling me his tales of woe about electronic health records; I really hadn’t fully understood why interoperability is such a big deal before hearing specifically why it pains doctors.

Sometimes waiting for this sort of information and opportunity is not an option, and this is also why some of our attempts at motivating people to change their behavior fall flat. Hopefully, as our industry matures, and as we gain more knowledge of our audiences, we can be better at providing them with tips that better align with their goals.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/27/2015 | 2:08:26 PM
Selling security
Great article. It's easy for those inside the industry to take security as a fundamental need, and think the almost daily headline news is enough to sell people on making the change. Always important to remember people buy/change/act on emotion and not always logic.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
PUBLISHED: 2019-11-15
On version 14.0.0-, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.
PUBLISHED: 2019-11-15
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
PUBLISHED: 2019-11-15
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-, 12.1.0-, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.