Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Getting To Yes, Cooperatively

As security advocates, determining what "beneficial" means to a particular audience should be our first step in developing recommendations.

Have you ever found yourself trying to convince someone to do something that you felt was clearly in his best interest, armed with overwhelming facts and supporting evidence, only to have your idea soundly rejected? Many people in that situation would throw up their hands in disgust and decide that the person was being completely unreasonable. But perhaps it’s we who are being unreasonable in our approach.

What constitutes a “Win”? I recently attended a panel session moderated by Dark Reading's Kelly Jackson Higgins at Black Hat where several distinguished women discussed their experiences working in different areas of information security. One story in particular contained a message that needs to be more widely shared: Katie Moussouris talked about her many attempts to convince people to start a bug bounty program at Microsoft.

Her first attempts were jam-packed with evidence that she thought was overwhelmingly compelling, so how could she possibly fail? But that’s exactly what happened for years before she rephrased her proposal not just in terms of data and logical actions, but in terms of how it would address specific problems with which her audience was struggling. Before she was even a small fraction of the way through her renovated presentation, her audience had already enthusiastically agreed to her proposal.

When I first started in security, I felt like “being secure” was a goal so obvious that if you could just make people understand how to perform the actions, they would simply comply. Why on earth would anyone not Web-filter their employees to keep them from surfing porn? Why would they use weak passwords or double-click dubious attachments? That’s just ridiculous and self-defeating! But as it turns out, I was naïve. There are people out there whose most important goals are along the lines of “responding quickly in an emergency,” “raising employee morale,” or “the free flow of information.” These goals are not necessarily contradictory to security, but it may seem so if these concerns are not specifically addressed in our educational pleas.

When we’re working in our capacity as security advocates – or just as people trying to convince others to do something we think would be beneficial – determining what “beneficial” means to our audience should be step one before presenting our suggestions.

Well, duh.
Asking people what they want may seem a pretty obvious first step toward convincing them to do something. And while it may seem obvious, it may also seem overwhelming or simply impossible, depending on the nature of the interaction with your audience. People’s concerns may be too broad, or something you can’t necessarily know before you start “talking,” like in the case of an article (not unlike this one!).

That’s where getting outside our usual comfort zone – and far outside the security or technology echo chamber – can be incredibly helpful. There are a variety of places in my own life I like to go to do this.

Non-security-specific IT conferences were a major eye-opener for me; I learned about some of the goals and problems of people trying to implement things securely in different types of businesses. Retail businesses are not like hospitals which are not like credit unions which are not like schools. They all have their own particular hurdles, their own particular types of interactions with customers, and they work at different paces. While I knew this intuitively, it is a very different situation when you’re seeing how sales are pitched or presentations are geared towards their IT staff.

Another thing I like to do is to engage people in conversations about how security measures affect them in their job. Yes, I’m that person who holds up the checkout line while cashiers ask me questions about EMV cards. My dad likes to remind me that even my most jargon-free articles still need to be “translated” into simpler English in order to be useful for his clients in a small town. I recently needled my new allergist into telling me his tales of woe about electronic health records; I really hadn’t fully understood why interoperability is such a big deal before hearing specifically why it pains doctors.

Sometimes waiting for this sort of information and opportunity is not an option, and this is also why some of our attempts at motivating people to change their behavior fall flat. Hopefully, as our industry matures, and as we gain more knowledge of our audiences, we can be better at providing them with tips that better align with their goals.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/27/2015 | 2:08:26 PM
Selling security
Great article. It's easy for those inside the industry to take security as a fundamental need, and think the almost daily headline news is enough to sell people on making the change. Always important to remember people buy/change/act on emotion and not always logic.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.