Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

8/26/2015
11:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Getting To Yes, Cooperatively

As security advocates, determining what "beneficial" means to a particular audience should be our first step in developing recommendations.

Have you ever found yourself trying to convince someone to do something that you felt was clearly in his best interest, armed with overwhelming facts and supporting evidence, only to have your idea soundly rejected? Many people in that situation would throw up their hands in disgust and decide that the person was being completely unreasonable. But perhaps it’s we who are being unreasonable in our approach.

What constitutes a “Win”? I recently attended a panel session moderated by Dark Reading's Kelly Jackson Higgins at Black Hat where several distinguished women discussed their experiences working in different areas of information security. One story in particular contained a message that needs to be more widely shared: Katie Moussouris talked about her many attempts to convince people to start a bug bounty program at Microsoft.

Her first attempts were jam-packed with evidence that she thought was overwhelmingly compelling, so how could she possibly fail? But that’s exactly what happened for years before she rephrased her proposal not just in terms of data and logical actions, but in terms of how it would address specific problems with which her audience was struggling. Before she was even a small fraction of the way through her renovated presentation, her audience had already enthusiastically agreed to her proposal.

When I first started in security, I felt like “being secure” was a goal so obvious that if you could just make people understand how to perform the actions, they would simply comply. Why on earth would anyone not Web-filter their employees to keep them from surfing porn? Why would they use weak passwords or double-click dubious attachments? That’s just ridiculous and self-defeating! But as it turns out, I was naïve. There are people out there whose most important goals are along the lines of “responding quickly in an emergency,” “raising employee morale,” or “the free flow of information.” These goals are not necessarily contradictory to security, but it may seem so if these concerns are not specifically addressed in our educational pleas.

When we’re working in our capacity as security advocates – or just as people trying to convince others to do something we think would be beneficial – determining what “beneficial” means to our audience should be step one before presenting our suggestions.

Well, duh.
Asking people what they want may seem a pretty obvious first step toward convincing them to do something. And while it may seem obvious, it may also seem overwhelming or simply impossible, depending on the nature of the interaction with your audience. People’s concerns may be too broad, or something you can’t necessarily know before you start “talking,” like in the case of an article (not unlike this one!).

That’s where getting outside our usual comfort zone – and far outside the security or technology echo chamber – can be incredibly helpful. There are a variety of places in my own life I like to go to do this.

Non-security-specific IT conferences were a major eye-opener for me; I learned about some of the goals and problems of people trying to implement things securely in different types of businesses. Retail businesses are not like hospitals which are not like credit unions which are not like schools. They all have their own particular hurdles, their own particular types of interactions with customers, and they work at different paces. While I knew this intuitively, it is a very different situation when you’re seeing how sales are pitched or presentations are geared towards their IT staff.

Another thing I like to do is to engage people in conversations about how security measures affect them in their job. Yes, I’m that person who holds up the checkout line while cashiers ask me questions about EMV cards. My dad likes to remind me that even my most jargon-free articles still need to be “translated” into simpler English in order to be useful for his clients in a small town. I recently needled my new allergist into telling me his tales of woe about electronic health records; I really hadn’t fully understood why interoperability is such a big deal before hearing specifically why it pains doctors.

Sometimes waiting for this sort of information and opportunity is not an option, and this is also why some of our attempts at motivating people to change their behavior fall flat. Hopefully, as our industry matures, and as we gain more knowledge of our audiences, we can be better at providing them with tips that better align with their goals.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sragan
50%
50%
sragan,
User Rank: Apprentice
8/27/2015 | 2:08:26 PM
Selling security
Great article. It's easy for those inside the industry to take security as a fundamental need, and think the almost daily headline news is enough to sell people on making the change. Always important to remember people buy/change/act on emotion and not always logic.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.