Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Getting To Yes, Cooperatively

As security advocates, determining what "beneficial" means to a particular audience should be our first step in developing recommendations.

Have you ever found yourself trying to convince someone to do something that you felt was clearly in his best interest, armed with overwhelming facts and supporting evidence, only to have your idea soundly rejected? Many people in that situation would throw up their hands in disgust and decide that the person was being completely unreasonable. But perhaps it’s we who are being unreasonable in our approach.

What constitutes a “Win”? I recently attended a panel session moderated by Dark Reading's Kelly Jackson Higgins at Black Hat where several distinguished women discussed their experiences working in different areas of information security. One story in particular contained a message that needs to be more widely shared: Katie Moussouris talked about her many attempts to convince people to start a bug bounty program at Microsoft.

Her first attempts were jam-packed with evidence that she thought was overwhelmingly compelling, so how could she possibly fail? But that’s exactly what happened for years before she rephrased her proposal not just in terms of data and logical actions, but in terms of how it would address specific problems with which her audience was struggling. Before she was even a small fraction of the way through her renovated presentation, her audience had already enthusiastically agreed to her proposal.

When I first started in security, I felt like “being secure” was a goal so obvious that if you could just make people understand how to perform the actions, they would simply comply. Why on earth would anyone not Web-filter their employees to keep them from surfing porn? Why would they use weak passwords or double-click dubious attachments? That’s just ridiculous and self-defeating! But as it turns out, I was naïve. There are people out there whose most important goals are along the lines of “responding quickly in an emergency,” “raising employee morale,” or “the free flow of information.” These goals are not necessarily contradictory to security, but it may seem so if these concerns are not specifically addressed in our educational pleas.

When we’re working in our capacity as security advocates – or just as people trying to convince others to do something we think would be beneficial – determining what “beneficial” means to our audience should be step one before presenting our suggestions.

Well, duh.
Asking people what they want may seem a pretty obvious first step toward convincing them to do something. And while it may seem obvious, it may also seem overwhelming or simply impossible, depending on the nature of the interaction with your audience. People’s concerns may be too broad, or something you can’t necessarily know before you start “talking,” like in the case of an article (not unlike this one!).

That’s where getting outside our usual comfort zone – and far outside the security or technology echo chamber – can be incredibly helpful. There are a variety of places in my own life I like to go to do this.

Non-security-specific IT conferences were a major eye-opener for me; I learned about some of the goals and problems of people trying to implement things securely in different types of businesses. Retail businesses are not like hospitals which are not like credit unions which are not like schools. They all have their own particular hurdles, their own particular types of interactions with customers, and they work at different paces. While I knew this intuitively, it is a very different situation when you’re seeing how sales are pitched or presentations are geared towards their IT staff.

Another thing I like to do is to engage people in conversations about how security measures affect them in their job. Yes, I’m that person who holds up the checkout line while cashiers ask me questions about EMV cards. My dad likes to remind me that even my most jargon-free articles still need to be “translated” into simpler English in order to be useful for his clients in a small town. I recently needled my new allergist into telling me his tales of woe about electronic health records; I really hadn’t fully understood why interoperability is such a big deal before hearing specifically why it pains doctors.

Sometimes waiting for this sort of information and opportunity is not an option, and this is also why some of our attempts at motivating people to change their behavior fall flat. Hopefully, as our industry matures, and as we gain more knowledge of our audiences, we can be better at providing them with tips that better align with their goals.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/27/2015 | 2:08:26 PM
Selling security
Great article. It's easy for those inside the industry to take security as a fundamental need, and think the almost daily headline news is enough to sell people on making the change. Always important to remember people buy/change/act on emotion and not always logic.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...