Security Is Hard. Arguing For It Doesn’t Have To Be.

Security is hard. Arguing for it doesn’t have to be..jpg

By Merlin Namuth and Anne Namuth

If everyone in your organization understood cybersecurity the way you understand cybersecurity, your job would be a lot easier. But they don’t. So it’s not.

As much as your job is about securing information, it’s also about convincing people to provide the resources you need to keep information secure.

A Word About the Art of Persuasion

Confused as a synonym for bullshit, rhetoric is about the choices you make regarding the language you use. So strengthening your rhetorical skills – especially your skills of persuasion – will empower you to convince people to help you so you can do your job.

When working to persuade someone, you are asking them to own your problem as theirs and then to help you solve the problem. Many people avoid persuasion, believing it is a form of manipulation. The line between persuasion and manipulation is defined by the nature of your relationship with the person you are trying to persuade.

Both persuasion and manipulation come from the Latin. To persuade is to give advice (“provide a sound reason for (someone) to do something”). Manipulation comes from a military term meaning to force someone’s hand. Whether you intend to advise or to force someone’s hand stems from the nature of the relationship you have with the person you are persuading.

Experiencing positive relationships is a basic human need and building relationships that lend themselves to persuasion involves getting to know someone on a personal level.. Between the things we need to live (air, food, water) and the ability to solve problems is the need for positive relationships with others.

You increase the likelihood that someone will help you solve a problem when you take the time to first establish a positive relationship with them. Getting someone away from the office helps set a social tone and tends to lower defenses, so start by making time to have lunch with people. These conversations are meant to be ongoing so that in the future you have an idea of what questions will engage people in friendly conversation.

On the foundation of a positive relationship, your communications can be received as advice — as persuasion. In the absence of a positive relationship, your communications are received as forceful – as manipulation. Remember: rhetoric is the choices you make about the language you use to achieve an intended effect.

You are probably facing numerous needs, problems, and risks that require someone else in your organization to respond to, pay for, and prioritize in order for you to be able to secure information.

The 5 Steps of Persuasion

There are five steps of persuasion that will help you clearly communicate and effectively advise to gain the support and resources you need.

Step 1: Attention

Starting a conversation with a larger or more general topic provides background and context for why this problem matters. If you dive into the problem right away, it is difficult for the person listening to you to care about the problem you are presenting. For example, if you need help installing critical patches, begin with a conversation about risk.

Step 2: Need

State the problem. Many problems are large and complex and cannot be addressed in one conversation. Be concise and explain the size of the problem. For example, after establishing what risk is, explain there are 20 critical patches that have not been applied on all Internet-facing servers storing sensitive customer data. The problem is the missing patches; the size of the problem is that sensitive customer data is at an increased risk of compromise without the patches.

Next, point out the problem to your audience. Once that person understands the problem, help them understand why they should care. Explain that without these patches, the cost of an incident can easily be more than $500,000 and once in the news, the cost to current and future revenue could be much greater. Referring to a recent example of a company that has experienced such a problem helps create context and reason for why this issue needs to be addressed.

Step 3: Solution

Directly state the solution to the problem. For example, a solution might be scheduling time to test and install the patches. Or, hiring a contractor to test and install the patches because the current staff is tasked with other work. Do not forget to connect this solution to the topic introduced in step one. While the immediate need is to install the patches, the overall reason for installing patches is about reducing risk.

By connecting back to the topic defined at the beginning of the argument, you establish a common understanding for future discussions – making future persuasion easier. Take time to address objections to your argument. By owning and addressing objections, you reduce the amount of time it takes to persuade the person you are talking to. For example, explain that you understand testing and installing patches may require their team to temporarily stop working on customer requests or that systems need to be taken offline, but keep the focus on why this is necessary.

Step 4: Visualization

Once you’ve addressed objections to the argument, help the person you are talking with to visualize, or understand, what will happen if they do not take your advice. Then immediately follow up with what will happen if they do take your advice. Avoid extreme or alarmist statements – be realistic and honest. For example, if the critical patches are not applied, systems could become compromised and create an incident costing more than $500,000 – money that could be used for revenue-generating projects. Conversely, if the patches are applied, the systems are less vulnerable.

Step 5: Action

Finish by explaining exactly what you need from the person you are trying to persuade. Remember to connect back to the initial topic from the attention step. This final connection to the topic introduced at the beginning of the argument is a rhetorical strategy that strengthens your argument. In addition, connecting back to the topic introduced in the beginning creates context for future conversations.


About the Authors

Merlin Namuth is a Chief Information Security Officer and has over 23 years of IT experience with the last 20 years focused in security. His experience in security includes building and running numerous security programs, program management, managing incident response teams, computer forensics, compliance, architecture, and engineering complex security solutions.

More About Merlin

Anne Namuth is – by day – a middle school language arts teacher of 18 years. By night Anne is a doctoral student studying reading, language, and literacy. Anne’s dissertation topic is exploring how engaging in writing leads students to different habits of mind and a critical awareness of the impact of empathy has on individuals and groups.

More About Anne