Over the past decade, the field of cybersecurity has virtually exploded into a complicated and sometimes confusing collection of disciplines and must-have solutions. As a cybersecurity leader with more than 20 years of experience leading teams, designing distributed systems, and managing data centers and cloud infrastructure, I do my best to stay on top of this rapidly changing landscape.
It can be overwhelming at times–and if it’s daunting for a practitioner in the field, imagine what it’s like for the people you need to convince that it is in their best interest to spend money on a new cybersecurity project, such as your clients, boss, or other stakeholders. This challenge is certainly not unique to cybersecurity, but it is one that continues to plague many in this field. After years of experiencing the frustration involved, I am ready to share some of the lessons I’ve learned in hopes that it also brings you success when it comes to creating buy-in among your stakeholders.
The Curse of Knowledge
When approaching your stakeholders or leadership with a new endeavor, it’s crucial to provide information and context that is meaningful and calibrated to your audience. Do the best to educate your audience so that there is a real, shared understanding of what you are asking to spend resources on.
More importantly, don’t lose sight of why you want to do it. Due to the Curse of Knowledge, it is easy to assume that the people you are communicating with already know why. Be aware of this cognitive bias and take time to start with “why” rather than focusing on the “what” or “how” of the project.
Start with “Why”
You may have heard of this concept from Simon Sinek’s Ted Talk and book: “Start with Why.” The concept is often applied to organizations, but I implore you to use it when thinking about your team and the projects on your roadmap.
In my experience, you will have better luck creating lasting support if you start with “why.” Spend more of your energy reaching a shared understanding of why you are trying to do something rather than how. Even better, if you can tie your “why” to the broader guiding principles of your team, institution, or organization, you can create lasting trust.
Fear Doesn’t Work
Resist the temptation to use fear to get a project off the ground. Sure, fear is a powerful motivator if you need to get something done exactly once. However, chances are you’re planning to work with your stakeholders again and will need their support on an ongoing basis.
To motivate action, you can manipulate or inspire. Using the threat of experiencing a breach as a motivator is a form of manipulation by fear. Instead, motivate your stakeholders into action by inspiring them through educating and selling them on your values, vision, and your “why.”
Focus on People
Lastly, remember to put people first. Make sure your team knows and believes in your “why” and your mission. Humans are innately driven by core values. Make sure you staff your team with people that believe in your mission: they are your catalysts and the educators that will teach the other people in your institution or organization about what you are trying to accomplish.
Back to Basics
With all of the previous things said, don’t lose sight of the basics. Much has been written elsewhere about getting back to basics, but it can’t be said enough. There is a vast selection of applications and service offerings out there that offer solutions for every conceivable problem. However, all of the artificial intelligence and machine learning in the world isn’t going to help if the basics are not covered.
Make sure you have foundational controls and a good patch management practice in place. Assess and be aware of your risk. Change your culture to consider cybersecurity as a top priority in every part of the organization: from the CEO to the intern. Implement and regularly test an incident response plan. Mandate the use of multi-factor authentication.
Putting It Into Practice
The next time you find yourself needing buy-in from somewhere that has been challenging in the past, use this as a guide. A change in perspective–whether it’s yours or someone else's–is a powerful tool for inspiring action.