Owning the C-suite

If you've found yourself on the losing end of a few too many battles, and security is suffering because of a lack of support from top executives, a bit of positive social engineering may be just the thing.

It's no surprise that the biggest challenge facing today's security managers is gaining management support for security. Even if you have an ironclad risk assessment to support the need for a particular technology, it's your presentation, persuasion and negotiation skills that sway corporate managers. None of us got into information security to become salesmen. I'd rather be running scans, debugging code or analyzing logs, but necessity is the mother of invention. When I commiserate with my peers, we half-jokingly call our selling techniques social engineering -- and maybe it is. Like the word "hacking," the phrase itself predates the current negative connotation of a criminal duping someone into handing over their network password or other confidential data. If "ethical hacker" is an acceptable title for IBM's pen-testers, maybe "ethical social engineer" is nothing to shy away from either. Persuasion and influence are widely studied areas of the social sciences -- researchers have spent years trying to quantify their effect. Here are a few weapons of influence to help you talk to the C-suite:

  • Reciprocation seems especially hardwired in all of us. When given a gift, even one we didn't ask for, we're compelled to respond in kind. This innate response of perceived obligation is leveraged every day: When we get a door prize at a retail store grand opening or that nice lady in the dairy section hands us free cheese samples, we feel the need to buy something in return.

    In your security negotiations, start the discussion with a concession or two about a key item that's important to the executive you're trying to influence: "I've found a way we can secure your new wireless handheld's traffic so you can check your football scores during meetings." Then, mention the new gigabit ethernet taps you need. Alternatively, try asking initially for a lot more than you expect--knowing you'll be refused--and then work down to what you're actually aiming for. This is called "rejection-then-retreat."

  • Commitment and consistency are easy to understand if you've ever been a rabid sports fan. Once we've made the decision--especially one that we've committed to publicly--to support a team, we stick with that team no matter what. None of us wants to be a hypocrite, even if we're mistaken.

    Once you've obtained an agreement on a new security initiative during your negotiations, get your supporters and decision-makers to send out an e-mail about the initiative, be a co-presenter at a meeting, or otherwise publicly endorse the effort. Once someone has publicly backed you, he or she will feel compelled to remain steadfast in that support.

  • Social proof is easy to find--just flip on your television and watch a primetime sitcom: No one likes canned laughter, but it's widely used because it works so well. We're social animals, and we're wired to respond to certain social cues.

    Now, the public endorsement you got from a key decision-maker can help you move the herd. Work hard to get as many supporters for your key projects as you can, and find ways to make good security the socially acceptable practice in your organization. Make security something very visible that everyone feels a part of.

  • Similarity, as a tool of persuasion, is indisputable: We like ourselves, we like people who resemble us, and we like people who like us back. And, we all seem to want to be associated with people with traits that we aspire to--hence the use of attractive models and celebrities in print ads and commercials. By buying the shampoo, you're now linked to it and, in at least one way, similar to the beautiful spokesperson yourself. Using the same deodorant as a famous quarterback makes you instantly connected—if only in your head.

    You can leverage this technique by emphasizing commonalities in the approach of your proposals with pet projects or interests of your adversaries. If your boss is a database guy, show how your new logging infrastructure ties in with databases. If he's a Linux guy, make sure your new VPN has a Linux client. You can also go for the "celebrity spokesmodel" approach: If you're bringing in a new vendor, emphasize all of the Fortune 100 clients they have, especially if any of them are similar companies to yours, but just a bit larger or more successful.

  • Authority is a powerful shaper of our thoughts, so much so that, in many ways, our obeisance is often unquestioning. It's an undeniably strong persuasive tool. From birth, we're taught to respect and defer to authority figures of one sort or another, from parents to teachers, police, and now managers, bosses and the like. Socially, we're also conditioned to respect laws, regulations and the perceived authority of corporate policies, bylaws. Operating with an awareness of the power of authority is a key factor to the success of any security team. It's an old adage that the higher the endorsement for a security measure goes, the more likely it is to succeed. If your corporate culture is open enough (or your standing high enough) that you can speak directly to top management, use your growing persuasive skills to win, and keep, their support.

    If your organization is a bit more staid, or your role a bit more humble, work through the hierarchy. Sell your boss on your best ideas, and encourage him or her to adopt them and sell them up the chain.

  • Scarcity is the "Act now! Supplies are limited! Operators are standing by!" hammer in your persuasion toolbox. The impulse to act when something is in limited or dwindling supply is a powerful one, and it can easily overwhelm rational thought. We value our independence so much that the idea of losing the freedom to get something we want, or even don't want at all, is so unpalatable that we often rush right down store and buy, rather than be deprived of the choice to do so.

    Scarcity is one area where it may be more important to arm yourself against persuasive influence. Vendors and consultants love to offer "one time only" end-of-year and end-of-quarter pricing. Don't make a rash decision and find yourself paying for it.

    You can apply scarcity to your favor if resources or dollars are limited and a particular initiative is dying committee: Emphasize that if you can't gain approval now, the initiative may have to wait until next year, or next quarter.

If the end result is improved security posture, making this brand of positive social engineering part of your infosecurity toolkit is a necessity. Good luck, and remember that a little bit goes a long way. Persuasion skills will help your success, but make sure you use them to promote solid security. They're no substitute for a level head.

About the Author
Shawn Moyer is CISO of Agura Digital Security, a web and network security consulting firm. Send your comments on this column to feedback@infosecuritymag.com.

This was last published in February 2006

Dig Deeper on Information security program management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.