The Art of InfoSec Influence Shaping the Decisions of Business Leaders to Support Security Awareness SANS Security Awareness Summit December 2020 by Luke R. Barnes
AGENDA Bottom Line Up Front The Need for the Art Start with the End Ethical Filters Understanding Culture & Decision-Making Define Your Targets & Ascertain Their Biases Crafting Messaging Themes & Linking to Business Objectives Creating Influence Opportunities How to Know if the Plan is Working Summary: The Roadmap for Ethical Influence What NOT to Do Q&A 2
BOTTOM LINE UP FRONT InfoSec culture and building a security awareness program is difficult. Without executive support, it will be both slow and frustrating. Your success hinges on your ability to influence their decision-making process! Influence Can Be Learned & Refined If your professional career depends on your ability to influence, why do you spend so little time learning how to get better at influencing? Influence Can Be Done Intentionally The purposeful and planned use of influence can greatly benefit the organization. Influence Can Be Done Ethically There is an art to most domains and practitioners can leverage ethical influence tactics. 3
THE ROADMAP FOR ETHICAL INFLUENCE
1
2
3
4
5
?
?
?
?
?
?
?
?
?
?
6
7
8
9
10
?
?
?
?
?
?
?
?
?
?
4
We are not talking about "inception" where we plant ideas in the subconscious minds of our targets.
...or are we? 5
COMPETITION FOR RESOURCES Especially in a post-COVID era, resources are constrained and will only be allocated to those sections/departments/initiatives who fight for them. Realities You are in competition for money You are in competition for a voice You are in competition for influence Context This isn't always a zero-sum game but it can be Sometimes the narrative is being shaped by someone else and you have to change it 6
ART vs. SCIENCE Due to the countless variables and dynamics at play, the results will be different every time. That is why we focus on understanding the process rather than focusing on outcomes. SCIENCE If you can replicate the work and get the same outcome, then it's a science. ART If you can't replicate the work and get the same outcome, it's an art. 7
START WITH THE END Defining Your Endgame TAPR The will in order to . Upon completion it will achieve . Example: The CFO will approve additional funding up to $200K in order to fund a new security awareness campaign around our remote workforce. Upon completion, it will achieve increased resiliency against threats to our cloudforward company.
Tip Spending the time to craft your endgame statement may seem trivial but it is vitally important to keep you on track! 8
A slimy manipulator or an influential leader?
A genuine concern for the good, welfare, and development of someone (your boss or subordinates) or something (your company).
Tip Ensuring your motives are ethical is a continuous process and a vital component to any influence operation. Don't skip this step!
9
I am not your conscience. (nor I am an attorney) Tip At the end of the day, you have to live with the effects of your own decisions. Please do not mistake anything in this presentation as a call to violate your own conscience or operate outside the ethical boundaries. 10
FILTERS TO ENSURE ETHICAL ACTIONS
TRUTH OR LIES? Lying is never okay. If your message is not true, then stop. PART OF YOUR JOB? If your influence operations takes you far outside your job duties, then stop.
CREDIT? Are you okay if someone else gets the credit for the results? SLEEP SOUNDLY? Would this bother my conscience when I'm trying to fall asleep?
FORMALLY TASKED? A formal tasking should give you confidence as you determine if your motives are ethical. WHO BENEFITS? Ensure there is a "corporate" benefit and the primary focus is not on "personal" benefit.
SPOUSAL SUPPORT? Could you defend it to your spouse or kids? OUTSIDE OPTIC? How would this look from the outside? Is there a potential this could be used against me? 11
You need to understand the CULTURE at your organization.
You need to operate within the cultural boundaries in order to be effective. This is not the time to "buck the system" or play "counter-culture games." If you want to be an instrument of change, you need to play the "games" and work to integrate. Choose your battles wisely. Don't be divisive and work to bring people together. Remember InfoSec will always be a supporting function! 12
You need to understand DECISION-MAKING at your organization.
Tip The Four A's
- Awareness Prior to making a decision, executives must be aware that a decision needs to be made.
- Assessment Following awareness, they will go into the assessment phase where alternative options are considered.
- Adoption Following assessment, the leader must undergo some phase where they adopt (or own) the perspective/plan/vision.
- Action The decision must either be a choice to ACT or NOT ACT. Either way, they are choosing to do something through an act of commission or omission. 13
Tip Your target needs to be a decision-maker/leader. Look for those leaders who can say YES, not just NO.
DEFINING YOUR TARGET List out possible options. Determine who is the final decision-maker(s). Every organization is different in their power structures. Some are large with centralized power structure, some are small with decentralized power structure. The smaller, decentralized ones make it a little bit easier to identify the target decision-maker. There may be a need for multiple "launch pad" (e.g. interim) targets before you get to the primary target. 14
KNOW THE BIASES OF YOUR TARGET Know their "Hot Button" issues Play into them at the right time Avoid known landmines! Stepping on landmines will kill your ability to influence Learn the methods and mediums through which they receive information (word of mouth, digital, hard copy, etc.?) To whom do they listen? From whom do they take advice? Listen carefully for other motives which may be influencing their decisions, processes, and timelines. Be on the look out for the common biases >>>>>>>>>>>>
Common Subconscious Motives Protect legacy Internal power struggles on Executive Team (ego/pride) Revenue Pressure Social Agendas Justify existence/prove value
Common Types of Biases
Confirmation Bias (info that confirms our perceptions)
Availability Bias (overestimation of the value of readily available
info)
Anchoring Bias (over-reliance on the first piece of info we hear)
Bandwagon Effect (the more people that believe, the more will
join)
Self-Serving Bias (we favor believes that enhance our self-esteem)
Affect Heuristic (mental shortcut which allows to solve problems
quickly - based on emotions like pleasure, etc.)
Stereotyping (expecting the member(s) of a group to all act the
same without have real data or evidence to validate or confirm)
15
Confirmation?
Bandwagon?
Anchoring?
Availability?
Self-Serving?
Stereotyping?
HOW TO ASCERTAIN THE BIASES OF YOUR TARGET(S)
Sit in meetings and observe discussions
Listen to how others tailor their messages to the target (search out other effective leaders and watch what they do)
Read newsletters, updates, memos they write
Open Source Intel (OSINT) gathering
LinkedIn profile
Personal Blogs
Articles they've authored
Organizational involvement/Clubs
16
THE STAIRWAY TO CHAMPION
Champion
Identify where your target is currently standing...Then have realistic expectations about how far you can move them and how fast! The goal is to move up these layers sequentially. While not impossible, it's rare that a person will skip steps.
Strongly Supportive Supportive Interested Likely To Go Along Probably Won't Resist
Uninterested
Negative
Champion Something Else
Antagonistic
17
Using to your intended endgame, CRAFT A COMPELLING MESSAGE that you can being injecting into the information environment.
TIPS FOR CRAFTING A COMPELLING MESSAGE
- Your message must be tailored to your audience
- Your message must be timely
- Your message must be coordinated 4. Your message must be consistent
- Your message must be for the ultimate good of the company (i.e. ethical)
- Your message may need to be layered 18
LINKING TO BUSINESS GOALS The most underrated skill in InfoSec leadership is the ability to understand and communicate how InfoSec efforts support the business.
BUSINESS GOALS
Know the specific business
goals and work to link each
1
request/message to them.
ROI
Know their preferred
4
method of measuring
Return on Investment.
FINANCIAL HEALTH
Know the financial
2
outlook and health of the
company so you know
what is reasonable.
BUDGET TIMELINES
3
Understand the budget
timelines and the
approval process.
19
SEE THINK DO
Work backwards through these and ask yourself: In order to DO (or not act) your target must THINK about it. Before they think it, they must SEE it. Ask what they must see in order to think to take action.
Let them see you TICC: Teamwork Involvement Commitment Competency
Tip Never underestimate the power of "likeability" in getting people to do what you want them to do. E.g. Don't be a jerk. 20
How to Create Influence Opportunities (1 of 4)
- Join non-InfoSec related committees Build relationships with other functional groups (marketing, finance, sales, engineering, etc.) Volunteer for committees and subcommittees Why? This will provide you with additional context and the ability to influence other groups and learn additional perspectives.
- Attend corporate functions & events Be ready with your messaging theme Be concise Be bold Don't drink too much - it's sad that I have to say this but it's true. Why? These are excellent venues to build rapport and credibility! 21
How to Create Influence Opportunities (2 of 4) 3. Build relationships with non-InfoSec staff and be seen Get out of your cube/basement/office and walk around! Find culturally-aligned situations with which you can integrate 4. Increase probability of "run-ins" to build rapport Once you've identified your target, find out where they go for coffee or lunch. Learn their routine and plan "coincidental" interactions that are not connected directly to your goal. "The deepest urge in human nature is the desire to be important." - Dale Carnegie Don't immediately jump into your "ask" - let it unfold naturally, even better, wait until they bring it up themselves! "Funny you should mention that, Sarah, because I actually do have some ideas on that. Do you have an extra few minutes now to discuss that or should I reach out via email to set up a meeting?" Keep it short. Any person/role which will be a target is going to be busy and have 15 other things on their minds Don't be annoying about it and use your emotional intelligence to gauge whether the timing is appropriate 22
How to Create Influence Opportunities (3 of 4) 5. Inform Up Inform leaders of activities and copy the target in the email; this will build trust with the target's peers One approach is to numb them into indifference by flooding them with information around your plan where they no longer become a threat 6. The "Magic of 3" 3 points of affirmation to get them to believe you are trustworthy 3 sources of information will get them to believe it 3 times to hear or see the same message 7. Apply the Principle of "First Truth" If at all possible, you want your message/approach/plan to be the first one they hear Those who get the "first truth" out there will have an advantage Also known as the Primacy Effect or Anchoring Bias People are over-reliant on the first piece of information they hear or see 23
How to Create Influence Opportunities (4 of 4) 8. Actively Counter Opposing Messaging from Antagonists Do you have an opposing force to deal with? Someone competing for funds? A colleague who doesn't like you? Threatened by your success or increasing influence? Keep them close and have a pulse on what kind of messages they are sending Ghost those messages and counter them with haste to prevent seeds of distrust or discord Ghosting = address their message in other content without naming them specifically 9. Ask for an introduction to the target before you do a cold introduction 10. Look for an unlikely, seemingly disinterested third party (Unlikely Alliance) If you can get an unlikely alliance formed it will be a force multiplier. Get them to speak the same language and terms and push your message to or around your primary target(s). 24
Influence Opportunities: The Unlikely Alliance Example of an Unlikely Alliance (i.e. the VP of Sales) Deals with a distributed sales team across the country Does his sales crew feel confident they can do their job safely? Are they accessing sensitive customer information from places or tools with questionable security? Will increased security controls around the remote workforce enable his sales team to be more effective and hit their sales goals? If so, let the VP of Sales know about what you are doing - inform him of your plan and see if he agrees? Passive Approach = No direct ask, let him connect the dots on his own "Yes, I understand your problem. I'm in the process of building out a plan but waiting for final approval from the CFO to launch the campaign." Direct Approach = Direct ask, connect the dots for him "John, I am currently in the process of waiting on approval for a plan to solve this problem. Would you be willing to mention this at the next executive meeting and let the other executives know the positive impact it will have on your sales team?" 25
Once you begin to create influence opportunities and inject your messaging, WATCH FOR INDICATORS that your plan is working and be prepared reinforce or refine your messaging. (this is your success criteria)
WAYS TO KNOW IF YOUR INFLUENCE PLAN IS WORKING
- You begin to see your message repeated either by your colleagues or your target leaders.
- You start getting more invites to the table or requests for more information.
- Your target(s) actually starts repeating the message as if its their own idea. This is the pinnacle of successful influence! Resist the urge to take credit. Let them believe it. Be content with the internal satisfaction knowing your plan worked! 26
THE ROADMAP FOR ETHICAL INFLUENCE
1 DEFINE YOUR ENDGAME Start with TAPR: The will in order to . Upon completion it will achieve .
2 USE THE ETHICAL FILTERS Ensure that your motives are ethical by running them through the 8 filters.
3 KNOW THE CULTURE You must operate within the cultural boundaries in order to influence effectively.
4 KNOW THE DECISION PROCESS The Four A's 1. Awareness 2. Assessment 3. Adoption 4. Action
5 DEFINE/REFINE INFLUENCE TARGET Your target(s) must be decision-makers who have the ability to say YES. Refine & update Step 1 if needed.
6 ASCERTAIN THE BIASES Listen more and talk less. Observe your target. Take notes. Learn what which biases can be reinforced.
7 "SEE, THINK, DO" Let them see you TICC: Teamwork Involvement Commitment Competency
8 CRAFT YOUR MESSAGE Your message must be tailored, timely, coordinated, consistent, ethical and layered.
9 CREATE INFLUENCE OPPORTUNITIES The more opportunities you create and the more tactics you use, the higher the probability of effective influence.
10 WATCH FOR EFFECTS & REFINE Are your messaging themes being repeated? Do they believe its their idea? REINFORCE REFINE
27
What to NOT do! Do not view as people & relationships primarily as a means to end Instead: Seek to build authentic, mutually-beneficial relationships. Do not be impatient or get frustrated Instead: Use tactical patience. Influencing decisions of leaders takes time! Do not burn bridges Instead: Never shut down communication. Do everything you can to leave the connection channels and relationship conduits open. Do not forget your "Why" Instead: Refer back to your written objective to keep you from deviating. Do not tell people your plan (must keep cards close hold) Instead: Closely guard your plan and its contents. This allows for 1) OPSEC, 2) Flexibility to adapt plan without losing credibility. Do not be afraid to settle for adjacent or diagonal launching pads Instead: Know when it's strategically wise to adapt to adjacent or diagonal influence points. 28
"I'll tell you what leadership is. It's persuasion and conciliation and education and patience. It's long, slow, tough work. That's the only kind of leadership I know." President Dwight Eisenhower 29
Questions?
30