Exercising Influence as the Security Team: Look for Friction Not Just Fuel
How do you drive security considerations into decisions made by other teams and stakeholders? As I discussed in my presentation at the USENIX Conference on Privacy Engineering Practice and Respect (PEPR) in 2020, learning how to influence people outside your reporting chain is a boss-mode skill.
Many security professionals believe that more internal marketing or “awareness” campaigns will lead to better security outcomes. But often, these efforts fail to move the needle. That’s because these programs often try to convert stakeholders into security champions willing to swim upstream for the cause, instead of looking for the obstacles that prevent stakeholders from making good security choices by default.
This is something we encounter a lot in our work with clients at Discernible and was a major inspiration for our negotiation and group decision-making workshops.
What are your stakeholder’s hidden frictions?
Subscribers of Discernible’s newsletter know that I’m a big fan of the Hidden Brain podcast as well as applying lessons from other disciplines to security communication challenges. Other fields of study beyond security already know so much about how the human brain works and how people make sense of the world around them, we’d be crazy not to learn from their scholarship.
The Hidden Brain podcast aired an episode last week entitled “Hidden Obstacles” that I found poignantly relevant to security communications. The episode highlights the research of Loran Nordgren, Professor of Management and Organizations at the Kellogg School of Management at Northwestern University. I’ve taken the liberty of applying his insights to common situations I experience with security organizations.
The episode focuses on Nordgen’s research and includes the story of a Chicago-based company that manufactures fully-customizable sofas and chairs, promising a one-of-a-kind piece of furniture. After spending hours designing their custom furniture in the showroom, would-be customers disappeared and the company wasn’t able to convert the sale. As a result, the company considered lower prices, changing the customer experience, or altering the product in order to drive more sales conversions.
However, an ethnographic study among their target customers revealed that the problem was actually that people didn’t know what to do with their existing sofa. This conundrum was enough to prevent them from buying a new sofa no matter how much they liked the ones sold by the manufacturer in Chicago. Upon learning this, the company began offering to pick up customers’ old sofas when the new one was delivered. This immediately resolved the company’s conversion problem.
Sometimes in security, we try to win people over by pushing harder, missing the friction that prevents them from exercising the behavior or decisions we need. Nowhere is this more prevalent perhaps than in the way we use media headlines to try and scare our colleagues into compliance with our demands instead of starting from a place of empathy. In fact, most of the time, our colleagues already agree with us that security is important, but we’ve failed to take into account simple things standing in their way, such as:
Do employees know you exist and how your work relates to them personally?
How easy is it for people to reach your security team with questions or concerns? Are there self-service options for resolution?
How timely, supportive, and compassionate is your security team in their response?
How disruptive or out-of-band is the process for working with your security team?
Instead of adding more fuel, build a lighter spaceship
Hidden Brain podcast host Shankar Vadantam asks Nordgren about why organizations and individuals tend to focus on the “fuel” component of the equation, rather than on friction. If we’re trying to launch a spaceship into space, he says, it is tempting to focus on building a bigger rocket instead of designing a lighter spaceship.
According to Nordgren, this is because we naturally understand behavior in terms of internal forces such as motivation and intent. These are “fuel.” When people don’t take the action we want, we often (incorrectly) assume the appeal is insufficient, so we try to increase the appeal with more fuel.
For security teams, it can seem easier to look for a bigger, flashier solution instead of smaller solutions that could help address friction. Yet, Nordgren cites the common but incorrect assumption that adding more gun powder to a gun will make a bullet travel faster or farther as an analogy for how a focus on fuel can be counterproductive. Although gunpowder is responsible for the initial velocity of a bullet, the reason a bullet is able to fly so far and so true is because of its aerodynamic design. The shape of the bullet helps reduce the friction, or drag, caused by wind resistance and gravity. Adding more gun powder actually creates more drag.
How many appsec or product security engineers spend hours every day trying to convince developers and other engineers to patch their systems or fix code vulnerabilities? Depending on the size of your organization, your team could potentially have dozens of identical and duplicative negotiations happening at any given time with cross-functional team members. Each of them are fighting to add more gunpowder instead of making the process more aerodynamic.
In this kind of situation, I often find significant friction from the lack of formal incentives for developers to maintain the health and quality of their code. If security considerations aren’t mentioned in leveling ladders or performance reviews, the headwinds preventing developers from prioritizing security work is very strong. This is where CISOs and senior members of the security team need to flex their influence and relationships with their senior engineering peers to negotiate for security to be an official expectation of their team. For all the CISO’s reading, if you don’t already have this kind of influence, it’s not too late to start earning it. You can remove a lot of headwind for your entire team.
Subtracting friction
Nordgren suggests that in order to identify friction, we need to do the upfront work to find it and shift our focus from the issue to the audience, specifically, the broader, contextual, emotional needs of our audience. He says friction tends to be buried and therefore requires discovery, perspective taking, and knowing your audience to find it. We can’t dismantle it until we can see it.
So, what kinds of friction do security professionals need to look for and then minimize? Nordgren mentions three types of friction in the episode, which I’ve put into a security context:
Path of least resistance - Have we made it easy for individuals to interact with our security people, tools, and procedures?
Inertia - Our minds reflexively favor things that are familiar even when the benefits of change are overwhelming, and this pushback is usually greatest when we’re pursuing big, radical change. So how are we connecting security work to things already familiar to our stakeholders and is it possible to break big changes into smaller, incremental ones?
Emotional cost - It’s common for there to be anxiety about tough conversations with both internal and external stakeholders. Have we trained our security team members to have those discussions with confidence and empathy? Are we seen as a supportive guide or partner to our stakeholders or do they still see us as out-of-touch with their needs?
If you’re interested in learning more about Loran Nordgren’s research, check out his Wall Street Journal Bestseller, “The Human Element: Overcoming the Resistance That Awaits New Ideas.”