Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:30 AM
Lysa Myers
Lysa Myers
Connect Directly
E-Mail vvv

Getting To Yes, Cooperatively

As security advocates, determining what "beneficial" means to a particular audience should be our first step in developing recommendations.

Have you ever found yourself trying to convince someone to do something that you felt was clearly in his best interest, armed with overwhelming facts and supporting evidence, only to have your idea soundly rejected? Many people in that situation would throw up their hands in disgust and decide that the person was being completely unreasonable. But perhaps it’s we who are being unreasonable in our approach.

What constitutes a “Win”? I recently attended a panel session moderated by Dark Reading's Kelly Jackson Higgins at Black Hat where several distinguished women discussed their experiences working in different areas of information security. One story in particular contained a message that needs to be more widely shared: Katie Moussouris talked about her many attempts to convince people to start a bug bounty program at Microsoft.

Her first attempts were jam-packed with evidence that she thought was overwhelmingly compelling, so how could she possibly fail? But that’s exactly what happened for years before she rephrased her proposal not just in terms of data and logical actions, but in terms of how it would address specific problems with which her audience was struggling. Before she was even a small fraction of the way through her renovated presentation, her audience had already enthusiastically agreed to her proposal.

When I first started in security, I felt like “being secure” was a goal so obvious that if you could just make people understand how to perform the actions, they would simply comply. Why on earth would anyone not Web-filter their employees to keep them from surfing porn? Why would they use weak passwords or double-click dubious attachments? That’s just ridiculous and self-defeating! But as it turns out, I was naïve. There are people out there whose most important goals are along the lines of “responding quickly in an emergency,” “raising employee morale,” or “the free flow of information.” These goals are not necessarily contradictory to security, but it may seem so if these concerns are not specifically addressed in our educational pleas.

When we’re working in our capacity as security advocates – or just as people trying to convince others to do something we think would be beneficial – determining what “beneficial” means to our audience should be step one before presenting our suggestions.

Well, duh.
Asking people what they want may seem a pretty obvious first step toward convincing them to do something. And while it may seem obvious, it may also seem overwhelming or simply impossible, depending on the nature of the interaction with your audience. People’s concerns may be too broad, or something you can’t necessarily know before you start “talking,” like in the case of an article (not unlike this one!).

That’s where getting outside our usual comfort zone – and far outside the security or technology echo chamber – can be incredibly helpful. There are a variety of places in my own life I like to go to do this.

Non-security-specific IT conferences were a major eye-opener for me; I learned about some of the goals and problems of people trying to implement things securely in different types of businesses. Retail businesses are not like hospitals which are not like credit unions which are not like schools. They all have their own particular hurdles, their own particular types of interactions with customers, and they work at different paces. While I knew this intuitively, it is a very different situation when you’re seeing how sales are pitched or presentations are geared towards their IT staff.

Another thing I like to do is to engage people in conversations about how security measures affect them in their job. Yes, I’m that person who holds up the checkout line while cashiers ask me questions about EMV cards. My dad likes to remind me that even my most jargon-free articles still need to be “translated” into simpler English in order to be useful for his clients in a small town. I recently needled my new allergist into telling me his tales of woe about electronic health records; I really hadn’t fully understood why interoperability is such a big deal before hearing specifically why it pains doctors.

Sometimes waiting for this sort of information and opportunity is not an option, and this is also why some of our attempts at motivating people to change their behavior fall flat. Hopefully, as our industry matures, and as we gain more knowledge of our audiences, we can be better at providing them with tips that better align with their goals.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/27/2015 | 2:08:26 PM
Selling security
Great article. It's easy for those inside the industry to take security as a fundamental need, and think the almost daily headline news is enough to sell people on making the change. Always important to remember people buy/change/act on emotion and not always logic.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).