Building Trust Between Security and its Peers
Q&A with psychiatrist Dr. Ryan K. Louie, cybersecurity trust and compliance expert Kim Burton, and Discernible CEO Melanie Ensign
Image by @marekpiwnicki on Unsplash
Trust is critical for collaboration. Effective cybersecurity programs rely on seamless communication and cooperation across the organization. Without trust, information sharing becomes limited, hindering the ability to detect and respond to security issues appropriately. Building trust between cybersecurity professionals and cross-functional colleagues ultimately leads to better security outcomes.
We asked two trust experts, Dr. Ryan K. Louie and Kim Burton, to join CEO Melanie Ensign for a discussion on how security teams can develop deeper trust with their partners in the business.
We often have to make quick decisions in cybersecurity. How does trust between security teams and our cross-functional partners impact how information and risk assessments are processed? How can we teach security practitioners to be trusted partners?
Kim:
Trust is necessary for security teams and cross-functional partners to make responsible quick decisions. Partners who do not trust the security team may believe their team’s priorities were not understood or that security’s analysis is suspect. They may ignore the information they receive from security teams entirely. Teams fail to communicate, falling into micromanaging, duplicate work, inefficiency, and distraction.
Trust is built over time through competence, benevolence, and integrity. This starts with showing partners that you understand their unique pressures, how they operate, and why before we require them to make changes. Then, as we move into business conversations, assume that others are doing their best with the resources they have and their current understanding of business priorities. Take the time to learn another team’s workflow and role requirements – this will help you build trust as you teach the business about evaluating risk. If you’re interested in this topic, I suggest reading Move Fast and Fix Things: The Trusted Leader's Guide to Solving Hard Problems by Frances Frei and Anne Morris.
Ryan:
Trust takes a long time to build, and some of the most effective teams are the result of members who have known each other and worked with each other for quite a while. They are familiar with each other and importantly, can exchange thoughts, ideas, and viewpoints in a very open and candid manner. There is psychological safety, and people feel comfortable speaking up and expressing opposing viewpoints. This type of conversation and 2-way dialogue to evaluate situations when time, resources, and available information are limited is a key factor for teams to be successful.
While trust over time would be ideal, there is not always that opportunity for time and team-building for all teams. In the shorter term, trust can be built by establishing a culture at the beginning of any project or endeavor that promotes listening, respect, and empathy. The focus is not just acceptance of different ideas and viewpoints, but for those elements to be treated as milestones and actual performance measures. That way, the culture becomes expected, and that helps pave the way for conversations and discussions during high-stress situations. Cross-functional partners and security teams will be able to understand, know about, and appreciate the work of one another. And team members will be base-level fluent in fundamental concepts of each field.
Melanie:
Both of your answers remind me of how important it is for leaders to build trust in the decision-making process, especially when the stakes are high or we don’t know each other well. I see security teams create charters or mission statements intended to describe the vision and expectations of the team – but they don’t provide any guidance to their team members about how to incorporate those values and responsibilities into their decision-making. For example, if you want your security team to have a reputation for being a trusted business advisor, then you better teach everyone what that looks like in how they interact and communicate with each other and their peers. How do we build tools and protocols as a team of trusted advisors? How do we plan our security roadmap as a trusted advisor to the business? How would a trusted advisor request things they need from the business? (Spoiler: you offer to help them first!).
When people are under pressure and time is of the essence, a trusted process can unite different departments and perspectives because you’re already aligned on the values and principles that will be prioritized throughout. This is particularly important during incident response because arguments over whether or not honesty with customers supersedes potential litigation risk should be put to bed long before public statements are underway. Commit to your values in advance and help the business navigate the risk required to live them.
Different ways of presenting information, such as visual maps vs textual data, can influence cognitive processing. Does this impact how trust is built between security teams and their colleagues?
Ryan:
Different people will be receptive to information presented in various ways. The trust built between security teams and their colleagues helps them understand the information. The trust will come from the generosity and kindness of people taking the time to explain and translate the meaning and significance of the information to those who might be used to seeing it presented differently. The result is a team fluent in multiple ways of sharing and receiving information. This builds strength and trust further by the team’s ability to see any pitfalls or if pieces are missing from the information set, and to look out for one another by sharing opinions and insights about it.
Kim:
Receiving information in multiple different ways can help people to process and understand the information. When we see something new it can be difficult for the learner to immediately apply the content – they need personal process time to identify how the material relates to them individually. Different people may prefer one kind of presentation over another and so they’ll pay more attention if they resonate with how something is presented (This is distinct from “learning styles” which has no basis in research and is a troublesome myth about how learning works).
We should not forget that our colleagues also have accessibility needs from dyslexia, auditory processing disorder (APD), and other differences in information ingestion, as well as different experiences and practical expertise. This means that presenting material multiple times in multiple ways gives team members the ability to ingest content that they can then process internally, coming to an early understanding of the material, and then they may re-encounter it in a different way to understand the nuances and further implications. To have these multiple forms available means people can bring all of their aptitudes to bear, fully integrating the content into their brains. This is called “multimodal learning” – a method that engages multiple sensory systems simultaneously for best absorption.
Security teams that provide multiple ways of encountering important information increase trust through:
Familiarity – colleagues will see the security team and the names of its members more often in positive settings, and this familiarity opens the door to trust
Empathy – show your colleagues that the security team cares about them and the business. This is demonstrated by your continued effort to engage through different content formats and communication channels. As I mentioned above, empathy is a key pillar of building trust.
Accessibility – busy, distracted team members, neurodivergent teammates, and those with learning disabilities deserve to see themselves represented in the content’s presentation and to know that it’s “for them” – again, increasing the perception of the security teams’ altruism (“They care about me, they see me”)
This kind of trust results in 1) partners believing that the security team has made the risk clear to them, 2) they understand what we’re telling/showing them, and 3) they believe in our competence to help them.
A good resource for this topic is: Make it Stick: The Science of Successful Learning by Peter C. Brown.
Melanie:
It’s hard to build trust when people feel confused or excluded. Kim’s advice is important for avoiding those situations.
I also like Ryan’s point about generosity and kindness as the message sender, particularly because trust encourages reciprocity. The message and its delivery are equally important in getting your point across and fostering relationships that can withstand occasional misunderstandings or mistakes. If you haven’t earned the benefit of the doubt, you haven’t truly earned trust.
Security professionals sometimes need to tell a colleague that the product or feature they’re building is insecure and needs to be fixed. How can security teams use these conversations as opportunities to build trust with cross-functional colleagues?
Kim:
Ideally, security teams have a foundation of trusted partnerships before they begin to criticize or correct products and features. Of course, sometimes there is not enough time for this development to take place. So, in all circumstances, communicate the work that needs to be done respectfully, and in a way that does not personalize or blame specific teams or individuals.
If someone perceives a feature as “their baby” – having invested their time, energy, and passion, and have become personally attached to it – they are more likely to perceive questions or criticisms as a threat.
Ideally, one would learn to separate a project from themselves, to stop seeing comments on their work as comments on their value and self-worth. This separation allows people to be more open to collaborative projects and welcome what the security team brings to the project. The security team’s input was always going to be a natural part of what a project requires to become “done.” The security team can frame what they do (identify vulnerabilities or risks) as a natural part of the build process.
Ryan:
People can naturally feel threatened, anxious, or emotional when others point out things that need to be fixed, features that are not secure, or negative feedback. The key to building trust is to establish the culture and norms of an organization, at the very beginning of anything new that is started. The building of psychological safety into the foundation and framework of any new project, so that everyone knows that this is the standard, will help lessen the impact of negative feelings during hard conversations. If everyone across all levels of an organization routinely and genuinely practices the giving and the receiving of candid information and comments, then it becomes more accepted and ideally will be promoted and championed as the mindset that is honored.
Melanie:
See my comments above regarding building trust in the decision-making process!
How does helping others accomplish their goals impact security’s ability to influence business decisions?
Ryan:
I think back to Professor Robert Cialdini’s 6 principles of influence. We often hear about these in the context of social engineering and the connotation is negative. However, if the principles of influence were applied positively and kindly, to uplift and support others, then this can be a very powerful method of change for both the provider and the receiver of influence.
There will be a new level of understanding and trust between people, to know that they are being guided by people that they feel are important to them and in a way that feels right for them. Influence, like technology and innovations, has an upside and a downside. The key to navigating this is to be aware of when influence occurs, how it’s affecting someone, and how it makes them feel. Then they can decide the best course of action.
Kim:
Security professionals should consider understanding the motivations behind their own behavior before trying to influence others. I would not trust the motivation of the security team nor the outcomes before this personal work is done. A personal understanding of one’s motivations can reveal areas where challenging one’s assumptions or a change in relating to others is needed.
The security profession often requires people to approach others when fear is at the forefront and psychological safety is challenged. Security teams must respect this reality and respond with compassion; no one wants to feel threatened by or afraid of the people who are supposed to protect and support them through a vulnerable time. People have many different motivations for what they do, but everyone has some kind of goal or desire or something they’re trying to avoid. Security teams frequently rely on negative motivators, like fear or punishment, which can be effective in the short term but come at the cost of trust.
Trust naturally allows security teams to influence their peers and they can do this with positive motivators like connecting requirements to professional growth, providing recognition for exemplary work, demonstrating how security contributes to the business community, reminding people of values they hold that resonate with security concepts, or connecting security needs directly to the company’s vision. Using a variety of positive motivators will create a culture that influences many different kinds of people and lets them see themselves represented in the security team’s vision for the company.
Melanie:
Sometimes security professionals focus too much on why they do security things and expect everyone else to do it for the same reasons, instead of considering what’s already important to them and doing the work to show that certain security choices can help them accomplish those things. Religious conversions are not necessary to get people into a church. Sometimes a potluck will do.
