Positioning the Security Team Through Influence Part 1

Friday, April 06, 2012

Steven Fox, CISSP, QSA

B09c361cbdc6cf629affdc7db30a186d

Last week I discussed how information security is broken at the relationship level. This was illustrated by highlighting some challenging outcomes from the dysfunctional communications between security teams and their business customers.

While several remediation strategies were posed, the essential approach to enhancing the role of security professionals is to enhance their organizational influence. This article kicks off a series exploring basic influence styles, the associated pitfalls, and guidance for their proper application.

According to Chris Musselwhite and Tammie Plouffe, “In today’s highly matrixed workplace, your ability to influence others can be key to your professional success.” Their article When Your Influence Is Ineffective addresses the challenge of influencing the many personalities which comprise the typical corporate culture.

“The bottom line:” write Musselwhite and Plouffe, “since we naturally default to the one (sometimes two) styles that work best at influencing us, our influencing ability and our effectiveness to influence others will remain limited until we develop influence style agility.”

The lesson highlighted in this article is simple in its expression but complex in its implications – strategy and tactics must guide the application of influence. Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable.

“While the influencer may gain the short-term desired outcome, he or she can do long term damage to personal effectiveness and the organization.” Just as a poorly used network scanning tools can lead to disruptions of I.T. networks, amateur attempts to influence can result in disruptions in the professional network or long-term denial-of-influence.

We start our exploration with Rationalizing, a style defined by the use of rational and logical arguments. Its usefulness relies on the availability of reliable data that can be analyzed objectively.

Rationalizing

This style is effective in cultures that value a dispassionate view of problems, a view that rarely dominates corporate decisions. Influencers that “ignore value-based solutions, or fail to consider the emotions or feelings of others…can be perceived as competitive or self-serving, and may generate a competitive response.”

Forgetting the emotional and political dimensions of any decision will diminish or nullify the power of a rational appeal. While reviewing network architecture and implementation artifacts for a client, I commented that they lacked information I needed to approve the design.

Informing the security manager of these issues, I noticed a contentious shift in the way he related to me. Although the engagement ended on a positive note, I had to spend additional time to ensure that I was seen as a trusted advisor.

Success Tip

This style is effective when combined with styles that recognize the political and business decision drivers, such as negotiating and bridging. Associating mutually accepted metrics with business objectives is one approach to using this style effectively.

Most importantly – always analyze data in the context of the initiatives that take priority for the business.

Stay tuned to the @McAfeeBusiness Twitter feed for more tips and case studies highlighting the fusion of information security and business.  

Cross-posted from the McAfee Security Connected blog

Possibly Related Articles:
14458
Enterprise Security Security Strategy Methodologies Leadership Information Security Infosec Professional Influence
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.