This article can also be found in the Premium Editorial Download "Information Security magazine: Best-of-breed: Security Products of the Year: 2006."
Download it now to read this article plus other related content.
Losing a few too many battles? Positive social engineering can help.
It's no surprise that the biggest challenge facing today's security managers is gaining management support for security. Even if you have an ironclad risk assessment to support the need for a particular technology, it's your presentation, persuasion and negotiation skills that sway corporate managers.
None of us got into information security to become salesmen. I'd rather be running scans, debugging code or analyzing logs, but necessity is the mother of invention. When I commiserate with my peers, we half-jokingly call our selling techniques social engineering--and maybe it is.
Like the word "hacking," the term predates the current negative connotation of a criminal duping someone into handing over network passwords or other confidential data. If "ethical hacker" is an acceptable title for IBM's pen-testers, maybe "ethical social engineer" is nothing to shy away from either.
Persuasion and influence are widely studied areas of the social sciences--researchers have spent years trying to quantify their effects. Here are a few weapons of influence to help you talk to the C-suite:
- Reciprocation is hardwired in all of us. When given a gift, we're compelled to respond in kind. This response of perceived obligation is leveraged every day: When we get a door prize at a grand opening, or free cheese in the dairy section of the grocery store, we feel the need
- to buy
something in return.
In your security negotiations, start the discussion with a concession or two about a key item that's important to the executive you're trying to influence: "I've found a way we can secure your new wireless handheld's traffic so you can check your e-mail during meetings." Then, mention the new gigabit Ethernet taps you need. Alternatively, try asking initially for a lot more than you expect--knowing you'll be refused--and then work down to what you're actually aiming for. This is called "rejection-then-retreat."
- Commitment and consistency are easy to understand if you've ever been a sports fan. Once
we've made the decision--especially one that we've committed to publicly--to support a team, we
stick with that team no matter what. None of us wants to be a hypocrite, even if we're
Once you've obtained an agreement on a security initiative during your negotiations, get your supporters and decision-makers to send out an e-mail about the initiative, be co-presenters at a meeting, or otherwise publicly endorse the effort. Once someone has publicly backed you, he or she will feel compelled to remain steadfast in that support.
- Social proof is easy to find--just flip on your television and watch a primetime sitcom.
No one likes canned laughter, but it's widely used because it works so well. We're social animals,
and we're wired to respond to certain social cues.
Now, the public endorsement you got from a key decision-maker can help move the herd. Work hard to get as many supporters for key projects as you can, and find ways to make good security the socially acceptable practice in your organization. Make security something visible that everyone feels a part of.
If the end result is improved security posture, making this brand of positive social engineering part of your infosecurity toolkit is a necessity. Good luck, and remember that a little bit goes a long way. Persuasion skills will help you succeed, but make sure you use them to promote solid security. They're no substitute for a level head.
This was first published in February 2006