Last Updated: 2009-04-06 03:49:19 UTC
by Lenny Zeltser (Version: 1)
As an infosec professional, you rarely have the formal power to simply issue a "Make it so!" mandate to launch a project, introduce significant change, or influence behavior of co-workers. Those of us classified as "middle managers" or "individual contributors" are often requested to advise, implement, control, and oversee without direct control over the people who use the data or manage the IT infrastructure. Even Chief Information Security Officers (CISOs) often do not have the staff or the budget to launch significant initiatives without strong support of executive managers and other co-workers.
- Have a message that's worth being heard. Don't lose credibility with half-formed ideas. Also, sometimes it's good to speak off the cuff, but being prepared usually makes a huge difference. Consider your thoughts from all perspectives and anticipate possible objections. Ask your friends to critique all aspects of your proposal.
- Consider concerns and language of the recipient. As Seth Godin put it, we don't like receiving e-mail. We want me-mail! How is your request relevant to the person you're trying to reach? Craft your message using the language of that person. Don't assume that terminology that's second nature to you (SecurID, WEP, DDoS, etc.) is known to him. If communicating with managers or business folks, learn their language (SWOT, CapEx, SaaS, etc.).
- Speak up! But don't be too loud. If you're introverted by nature, or if you speak in an understated tone, make an effort to speak more loudly, directly, clearly. At the same time, don't become the person who yells "Fire!" every time there's a whiff of smoke--the audience can quickly learn to ignore screaming. In contrast, if you're usually loud, try speaking softly--in some situations, such as presentations, that gets people to pay closer attention.
- Understand when to say it. If sending email, use tools such as Xobni to determine the hour when the recepient is most likely to answer messages. If submitting printed documents is getting you nowhere, catch the person on the way for a cup of coffee. Is he a morning person? What's his mood today? The when of the message matters as much as the what.
- Switch the medium. You've tried instant messenger, you've tried email, and another email, and another. Use the phone. Or a paper letter. Or, stop by the colleague's office in person (bring a snack to share or good coffee).
- Don't overwhelm with choices. People can be paralyzed into inaction when offered too many choices. If weighing several courses of action, list a few choices, identify the pros and cons of each, and leave the remaining options for an appendix, available upon request.
- Be brief. No one has time to read long emails. Practice on Twitter to create a succinct message that gets to the point quickly. For more inspiration, see three.sentenc.es.
- Follow up. The recipient probably receives a message per minute, and very possibly yours got lost. Follow up, if you believe your message is important. (You still need to be tactful, of course.) When following up, consider repeating the gist of your message using different words.
- Find an ally. If you have a hard to reaching or convincing the ultimate recipient directly, find someone more accessible to you who would speak on your behalf or support your case. Whom you know really can make a difference.
- Give first, without expecting to receive. If asking for a favor, the person may think (sometimes unconsciously), "What have you done for me lately?" If you are known for helping others, your colleagues will be more predisposed to help you. This is often a problem for security people who've developed a reputation for being Dr. No! (as in "No, you cannot have that firewall port opened!").
If this perspective resonates with you, here are additional thoughts on the non-technical aspects of information security:
- SWOT Matrix for Describing Security Posture
- Elevator Pitch for Explaining Security Risks to Executives
- When Using Fear to Sell Security Can Backfire
- Situational Awareness for Information Security Professionals
- Three Laws of Behavior Dynamics for Information Security
Lenny Zeltser - Security Consulting