The art of communication is the language of leadership.
— James C. Humes
It is far beyond the scope of this book to outline all of the tips and techniques to unlock these benefits or to provide you with a PhD in communications; however, we will review some of the practical concepts that we found, throughout our collective experience, to be the most impactful in a cybersecurity leadership context. Communication skills are as perishable as a golf swing. Use them or lose them, as you will see below.
My parents are Greek immigrants who came to the United States in the 1970s, and they raised my sister and me speaking Greek in our home. I love being bilingual. It has served me very well, from communicating with my parents and family abroad to giving me an advantage in the application and recruiting process of various roles throughout my career. Interestingly, I never needed to use Greek in a professional setting until this year.
My father had a good grasp of English as he was the primary breadwinner for our family and used English every day. My mother, however, was a “stay at home mom” for most of my youth, and as a result she only picked up enough English to understand most of a conversation, but not enough to speak effectively. Ironically, my mother's English was the best during the O.J. Simpson murder trial as she was glued to the TV all day. Shortly after that trial ended, one satellite TV provider started offering a bundle of Greek channels. My parents subscribed, and my mother's English fell off of a cliff, never to return.
On the flipside, since I moved away from the city where my parents live, my Greek has gone downhill because I only use it when I speak with my mother. Today, more than 20 years later, my mother and I communicate through a mix-mashed conversation of “Greenglish,” and I am the first to tell you, it is not anywhere near effective. It is unfortunate that, as a result, our phone conversations are usually short and do not have a lot of depth.
It is my responsibility to bridge the communications gap. My mother is not bilingual. I am. And as a cybersecurity leader, it is my responsibility to learn to speak the language of the business instead of the business learning to speak the language of cybersecurity (see Chapter 1 – Financial Principles: The Language of Business).
We communicate every day, so why aren't we connecting with the business? A search for the term “communication” for books on Amazon comes back with over 100,000 results. Searching for “effective communication” narrows down the results to over 16,000. Either way, those numbers are staggering and highlight the importance of communication. Communicating goes well beyond flapping your lips and coherent words coming out of your mouth. Just because you can speak a language does not mean that you can communicate effectively in that language.
The reality is that cybersecurity does not generate revenue in most organizations. As cybersecurity leaders, we are continually battling for visibility and a budget. We have spent this entire century so far pounding our fists and SCREAMING that cybersecurity needs to have a seat at the table. Effective communication is the key to getting that seat. When you scour through many of the popular works in the Amazon search results above, you find many benefits to effective communication in the workplace. The following common themes emerge:
· Forms credibility and trust
· Streamlines the sharing of ideas and problem solving
· Establishes clarity and eliminates confusion
· Promotes employee engagement and teambuilding
· Influences people
· Resolves conflict
· Brings transparency and guidance
· Institutes an understanding of business practices
· Grows career opportunities
· Increases productivity
In this chapter, we will lightly touch upon the elements of communication and point you to several valuable resources that can expand upon the topic if this is an area of growth or focus for you at this stage in your career. Specifically, the sections that follow offer structure to improve communications for the explicit purpose of advancing a cybersecurity program.
Do you have the courage to listen? Do you have the curiosity to drill down, peel apart, and determine the root cause of the matter at hand? Do you kill them with kindness and are you self-aware enough to understand how your body language makes or breaks a communication? Can you find the “why” and resonate with your audience through the use of stories? Finally, do you create a safe environment for difficult and crucial conversations? We will answer all of these questions throughout this chapter.
A study that was originally published in 1972 found that we spend up to 80% of our day in some form of communication. The study found that while about 30% of that time was spent speaking, a whopping 45% was spent listening.1 For those of you doing the math that means that we spend 1.5 times the amount of time listening as we do speaking.
Many, if not most of us, claim to be good listeners. Many, if not most of us, are not. To demonstrate, allow us to walk you through an exercise. Imagine working with a software development manager. Their team frequently promotes code to production riddled with security vulnerabilities. Now imagine this manager becoming defensive every time you try to address this issue. Many of you are probably starting to nod your head in agreement with a visual of this manager's face in your head.
Next, without any self-censorship, jot down some of the adjectives that immediately come to mind for this manager. We are willing to bet they are not very flattering.
Now, imagine that it is the eve of a major production release, and you realize that few, if any, of the vulnerabilities you pointed out in QA are addressed. How many of you just thought of some of those same adjectives to describe this person again? What would you do next? Would you get upset? Would you start yelling at this manager? Would you complain to another manager? Would you claim that you cannot work or reason with this manager? Would you think to yourself, “Why don't they just get it?”
Now, suppose you remain calm and ask the manager, “Why are these vulnerabilities not addressed?” The manager replies, “Look, I want to help you. I understand the importance of security. I really do, but my management insists that functionality trumps security and that we can always go back and fix security later. Our bonuses are tied to innovation, release burndown, return on investment of deployed features, and defect-free code. Nobody has told us how to demonstrate innovation by fixing a security hole or showing a return on investment on security features. Also, our leadership hasn't classified security vulnerabilities as defects. Our performance reviews, and therefore our success at this company, are also tied to these measurements. Put yourself in my shoes. What would you do?”
What would you do? Would some of those adjectives change? Would that change how you interact with and respond to this manager?
According to Mark Goulston in his book Just Listen: Discover the Secret to Getting Through to Absolutely Anyone, you did not listen. You did what many of us do. You used information gained from your early interactions with this manager, jumped to conclusions, and formed perceptions that became hard-wired with the adjectives that came to your mind during this exercise. Those words became a filter that you heard without truly listening.2 According to Goulston, the solution is simple. Think about what you are thinking and remove the filters. Easier said than done.
The process of summary may help. Carl Rogers, a renowned psychotherapist, wrote:
The great majority of us cannot listen; we find ourselves compelled to evaluate, because listening is too dangerous. The first requirement is courage, and we do not always have it.3
Rogers popularized the process of summary in regard to active listening. The process of summary prevents you from speaking up until you have restated the speaker's idea and feelings accurately and to their satisfaction. There are three primary advantages to this process:4
1. It forces you to pause and sincerely understand what a person is saying before replying.
2. It aids in the consolidation and efficacy of memory.
3. It restricts you from formulating a straw man argument when someone opposes you. A widely accepted description of a straw man argument is when one misrepresents a person's argument in a way that distorts the original argument and then refutes the misrepresentation instead of the opponent's actual view.
Ultimately, understanding someone else's point of view allows you to:
· Appreciate those views and learn something new.
· Refine your position against the original argument. In the case of our software development manager, it allows you to have a genuine and unbiased conversation around the issues that are preventing him from addressing security vulnerabilities.
Jordan Peterson does a great job at summing this up:
If you listen, instead, without premature judgment, people will generally tell you everything they are thinking – and with very little deceit.5
Albert Einstein supposedly once said in an interview, “If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question, I could solve the problem in less than five minutes.” Even though we could not find definitive attribution to Einstein, this quote's meaning and intent apply directly to what we should be doing as cybersecurity leaders in every professional conversation.
What do we do when we are evaluating an SaaS provider? Ask questions.
What do we do when asked to define the security requirements for project du jour? Ask questions.
What has every cybersecurity professional ever to grace this planet asked in their head regarding the hypothetical development manager from earlier in this chapter? “What the $%^& did you do that for?” For the record, please do NOT ever say that out loud unless you have a very, very, very good relationship with the person, and it is in private and outside of the office! Even so, we do not recommend going down that road. Instead, take Jordan Peterson's advice and “listen without premature judgment.”
Nobody is born with the ability to ask effective questions. It is an ability you must actively develop over time and experience. Your voice, tone, body language, and delivery matter just as much as the question's actual content.
Picture walking through the door at the end of a long, difficult day and asking your spouse or partner, “What's for dinner?”
· Option A: Ask that question in a loving tone and appreciative of whatever may end up on your plate.
· Option B: Ask that question in a gruff, demanding tone, and then complain about what ends up on your plate.
If you wonder which option is the best choice, you probably need to read a different book – one that focuses on relationships and how to treat others. Also, if you happen to be married to a strong Greek, Spartan woman as I am, let me know how Option B works out for you. As ridiculous and evident as this scenario sounds, we seem to forget, at times, how to behave at the office. How many of us have responded to an email from a co-worker that triggered an emotional response and replied with an enraged email? How many of us wish we did not hit the Send button right after we did? I have – more times than I can count.
A better course of action is to first breathe. Second, go ahead and type that enraged email if it makes you feel better, but immediately delete it (do NOT save in “drafts”). Third, and getting back to asking questions, would be to use the process of summary to reflect about how you are interpreting the email and asking questions such as “What led you to this conclusion or course of action?” Doing so may even allow you to gain some empathy for the person's position on the other side of the email, and you can use that empathy to foster a more constructive conversation.
There are many benefits of asking questions beyond acquiring a new piece of information. One immense benefit is to persuade, which may be the most critical reason for cybersecurity professionals to ask questions. Since I am Greek, let's talk about the Socratic Method. The Socratic Method is an adaptive strategy of questioning that stimulates personal understanding, but it has been adapted for other purposes, such as persuading.6 The Socratic Method is named after, you guessed it, the Greek philosopher Socrates. He taught his students by asking a series of questions. The goal was to expose contradictions in the students' thoughts and ideas to guide them to concrete, defensible conclusions.
Let's apply the Socratic method to our software development manager's case from earlier in the chapter. The mileage of the following example may vary based on your personal past experience, but this example is meant to provide you with a framework and to provoke ideas that you can use in your specific situation.
“Why does your group consistently promote code with security vulnerabilities?”
“Because we don't have the time and resources.”
“Why don't you have the time or resources?”
“Because my management insists that functionality and new features trump security!”
“Why does your management insist that functionality and new features trump security?”
“Because our bonuses are tied to innovation, release burndown, return on investment of deployed features, and defect-free code.”
“Why are your bonuses tied to those metrics?”
“Because new features generate revenue.”
“However, return on investment is a measure in profitability, not just revenue, correct?”
“How much more time and effort does it take to fix a critical vulnerability early in the development process vs. after the code is promoted to production?”
“I see where you are going, but salespeople keep promising features we haven't developed yet!”
“I understand, but let's get back to what impacts your bonus checks, not theirs. I'm sure we have both heard the statistics that it takes ten times the time and effort to fix a code defect early in the development process vs. after promoting the code to production. Does the same hold true for security vulnerabilities in our environment?”
“Great. So, if a ‘traditional’ code defect and a security vulnerability have the same impact on profitability due to higher costs and, presumably, longer delays in offering the full functionality of the feature, why wouldn't your management treat them the same?”
“Because feature releases and bugs in the functionality of our application are tangible. Fixing vulnerabilities is not. Besides, it is not likely that vulnerabilities will be exploited, so it is difficult to prove the value in fixing those vulnerabilities ahead of the feature release.”
“Do you remember the data breach that our competitor suffered last year?”
“The root cause was a cross-site request forgery vulnerability, which is exactly one of the vulnerabilities that is in question here. Various news outlets estimate that it cost them several millions of dollars to recover from the incident, including one year of credit monitoring services for all of their customers that were affected. This does not include the negative press and reputational impact.”
“I see your point, but I'm not going to be able to convince management.”
“It is common for management to prioritize metrics that, in reality, lead to not meeting the intent of the business objectives the metrics are supposed to support. I think we can agree that security vulnerabilities in code are closer to being code defects than not, and defect-free code is a metric upon which you are evaluated. Are you willing to set up a meeting with your management to discuss how we can establish KPIs that incorporate fixing security vulnerabilities in the same manner as ‘traditional’ defects to address real profitability instead of feature releases? You may even come out of the conversation with additional headcount to tackle the challenge.”
“Yes. Yes, I am.”
We were able to go from vilifying this software development manager (in our heads) and from dreading working with this manager to convincing this manager to work with us in persuading his management to prioritize security vulnerabilities alongside other “bugs.” This development manager keeps his bonus, potentially gains more resources, and shows his management that he can raise his head above the weeds and present a business case that improves the return on investment in product features. You get a more robust application security program and reduce risk to the organization. The salespeople, well, the salespeople learn not to write a check they can't cash. It's a win for everyone!
We have all worked with THAT person. The person who seems never to smile and never has anything positive to say, or do they? Do we truly listen to that person to understand the meaning of the words coming out of their mouth, or does the resting scowl on their face prejudice us from respecting their opinion and views? Do they really have nothing positive to say? Nothing at all? Doubtful, but we often dismiss these people.
According to Daniel McNeill, author of The Face: A Natural History, smiling is innate. Some sort of smile, he writes, first appears two to twelve hours after birth. Those smiles may or may not have any context associated with them, but studies show they are crucial to bonding. McNeill notes that while “courtroom judges are equally likely to find smilers and non-smilers guilty, they give smilers lighter penalties, a phenomenon called the ‘smile-leniency effect.’”7
Think about yourselves at work and in your lives. To whom do you give the benefit of the doubt? The person who smiles, or the gruff person?
As cybersecurity professionals, we fight the stereotype that we are antisocial, paranoid techno-nerds (even though some of the most social, outgoing people I know are in our profession). Therefore, it is even more vital that we pay attention to how we present ourselves. We will talk about body language later, but smiling will undoubtedly help break that stereotype.
Of course, we don't always feel like smiling. Why is that? First of all, we are humans, and life is not full of rainbows and unicorns all the time. Secondly, from a professional standpoint, we are fighting an uphill battle. We have to be “right” all the time, and the bad guys only need to be right once. We lack budget and resources, leading to increased stress and anxiety from managing an underfunded program. We are burned out.
How do we change that? At the risk of sounding like a hippie, smiling is the way to go. We have heard the term “smiling is contagious,” but there is science to back that. Dr. Nicholas A. Christakis (Harvard) and Dr. James H. Fowler (University of San Diego) studied 4,739 people from 1983 to 2003. These individuals were surrounded by a more extensive network of 12,067 people, each having an average of 11 connections to others, and their happiness was measured every few years. Their findings confirmed the impact of a happy person, which smiling represents. A person's happiness is related to the happiness of their friends, their friends' friends, and so on, causing a snowball effect of happiness well beyond their initial interaction.8
I am not going to go on a soapbox rant about how the digital age caused us, as humans, to lose the finer points of interpersonal communication, but emojis were created for a reason. What I do know through experience is this: how you speak and how you write, in both the words you choose and the tone in which you deliver those words, can portray any range of emotions, but friendliness often leads to trustworthiness. Trustworthiness often leads to influence. Influence often leads to persuasion. Influence and persuasion will lead to your leadership, viewing you as a strategic partner within the organization vs. a tactical order taker. This can in turn lead to approved requests for budget and resources, and a properly funded cybersecurity program may relieve your stress and anxiety in running your cybersecurity program. Smiling is easy. If there is a small chance that smiling when you speak and write can elevate your team, department, and organization profile, isn't smiling worth the effort?
Smiling is only part of the nonverbal communication pie. Body language is the whole pie. Many of us rely on texts, Slack messages, and email to communicate in today's digital age. It's convenient and allows natural introverts to stay in their comfort zone. Every form of communication has a time and place. It's not practical to speak with someone face-to-face, or even verbally, every time we wish to communicate. However, what we lose in not seeing the person as we are speaking with them is potentially critical nonverbal cues, like facial expressions, on top of verbal ones, like voice inflection.
In case you have not picked up on the theme of this chapter so far, let me be explicit about it right now. It is “using various forms of communication to get our way.” Getting our way may be getting additional budget for a needed tool, bringing in a consultant to help with a risk assessment, or obtaining additional headcount for your team to keep up with your team's workload.
Body language is fundamental in “getting our way.” As cybersecurity leaders, we are often competing with other teams, which generate revenue for the organization while cybersecurity typically does not, for attention and budget. Remember the conversation around “Opportunity Cost” in Chapter 5 – Articulating the Business Case? Developing a business case around cybersecurity spend vs. another value creating activity is one matter. How you deliver and present the business case is another matter. We need every advantage to adequately fund our cybersecurity programs and get the resources we need to maintain the organization's cyber risk appetite.
In their book The Definitive Book of Body Language Allan and Barbara Pease state that research convincingly shows that if you change your body language, you can alter your mood before going out, feel more confident at work, become more likable, and be more persuasive or convincing. When you change your body language, you interact differently with people around you, and they in turn will respond differently to you.
At the end of the book, they summarize “The Seven Secrets of Attractive Body Language.” They are:
1. Face: Have an animated face and make smiling a part of your regular repertoire. Make sure you flash your teeth.
· In other words, do not have a resting curmudgeon face.
2. Gestures: Be expressive but don't overdo it. Keep your fingers closed when you gesture, such as in the form of a hand steeple where the fingertips of both hands are together. Also, keep your hands below chin level, and avoid arm or feet crossing.
· I am guilty of my hands going all over the place. I am Greek, and we speak with our hands. I continuously and consciously work on this.
3. Head Movement: Use triple nods when talking and head tilt when listening. Keep your chin up.
· I naturally tilt my head when listening because it signals my brain to focus and not worry about what is for lunch. I have also often used a head tilt to signal confusion, but my face usually becomes more expressive in conjunction.
4. Eye Contact: Give the amount of eye contact that makes everyone feel comfortable. Unless looking at others is a cultural no-no, lookers gain more credibility than non-lookers.
· Eye contact is difficult for many because it is so personal in nature. “Eyes are the windows to the soul.” It is essential to pick up on social cues that the other person is not comfortable with eye contact. A tell tale sign is when they avoid eye contact. That does not mean that both of you stare off into space. It means that you find a balance between eye contact, quickly looking away, and looking back again during the conversation.
5. Posture: Lean forward when listening, stand straight when speaking.
· Leaning forward signifies to the other person that you intently want to listen to what they are saying. Subconsciously, there is a connection with the physics of traveling sound waves. Being closer to the soundwave source, even by a few inches, allows one to hear better.
· Standing straight when speaking signals confidence and authority.
6. Territory: Stand as close as you feel comfortable. If the other person moves back, don't step forward again.
· Similar to “Eye Contact.” Be sure to pay attention to and respect cultural norms and social cues.
7. Mirror: Subtly mirror the body language of others.
· But don't let this get weird. For instance, both parties of the conversation cannot be listening simultaneously, so both of you leaning forward could violate territorial boundaries.9
I have noticed positive differences when minding my body language, whether it was my role as a cybersecurity leader within an organization, with a client now that I am consulting, or with a public speaking engagement. I challenge you to make these small, subtle changes and pay attention to the results.
Pretend that everyone is a two-year-old child who asks “why” to everything that you tell them. Now flashback to communicating to your team and getting them on board with a path forward with a tactical goal, especially when they do not initially agree with the decision. Simple, straightforward, all-around communication, up and down the chain of command, is an essential skill a leader must possess. Everyone must believe in and understand the “why” behind a particular request or management decision and then pursue the “what.”
Jocko Willink and Leif Babin outline in their book Extreme Ownership that leaders must remove themselves from the immediate tactical objective and understand how it fits into the organization's strategic goals. As a leader, when you receive a directive that you do not understand, it is your duty, to your organization and to your team, to ask “why?”10
People generally do not ask you to execute something tactical (e.g., a task or a project) for no reason. Before you can communicate the “why” to your team, you, yourself, must understand it and believe it. Take a step back and analyze the situation and the strategic picture as you understand it. Would you come to a similar decision or “ask” if the roles were reversed? If not, you must ask questions, continuing moving up the chain of command if needed, until you do.
Once you understand “why,” you can then communicate “why” to your team. People want to believe in what they are doing. Organizational strategies have failed. Heck, WARS were lost because leaders and frontline workers (troops) were misaligned in believing that what they were doing was worth their time, effort, and sacrifice. Just as you sought out understanding “why,” you must also make yourself available to your team to answer their questions. Once you and your team are aligned with how the specific tactical objective aligns to the organization's strategic objectives, you can move forward in determining the optimal path ahead in executing the objective (the “what”).
There is a rather crude saying that describes “stuff” rolling downhill. Still, it is your duty as a leader to provide feedback uphill on how strategic decisions impact operations and employees “on the ground.” The further removed from the top of the corporate ladder, or the strategic decision-maker, employees are, the further removed they are from a clear understanding of the “why,” even though the strategic decision-maker believes the reasoning behind the strategy is clear as day. It is this disconnect that leads to a misalignment between strategic and tactical goals. It is this disconnect that often leads to a misalignment of organizational goals and cybersecurity initiatives. Explain why, and don't be afraid of repeating yourself.
Dave Isay, the founder and president of StoryCorps, said in an interview, “A great story is one where you've captured something that feels authentic. That's the gold standard. If you've captured something in your documentary or storytelling work that feels like it's real and hasn't been altered in any way, that's good. In fact, it's a kind of miracle of communications … The beauty of an authentic audio story—and I love audio—is that when you're listening in your car or on your headphones, it's as if that person is whispering in your ear. It's very intimate. You're right there. A story authentically told is like an adrenaline shot to the heart. I don't think there's any better way of telling emotional stories.”11
Do you know what is even more intimate than the audio storytelling Isay describes? It is face-to-face communication. That is the kicker. Face-to-face communication allows you to have visual and audio storytelling through your voice, body language, and actions. You have an advantage that Isay typically does not have.
For cybersecurity leaders, our “documentary or storytelling work” is our cybersecurity program. There are many intricate pieces to the story. In Chapter 7 – Translating Cyber Risk into Business Risk, we highlighted the importance of KRIs and KPIs in measuring our programs' performance. That is true, but the delivery of your message is critical. You can choose to tell the story through KPIs, KRIs, threats, vulnerabilities, and incidents; however, that limits your potential audience. As an alternative, you can choose to use those items to inform your story but tell your story through a lens that a wider audience (e.g., the C-Suite or the board) will appreciate and understand. Take a moment and think about it from your own experience. Are you more impressed by a product or service when the salesperson starts spewing off a list of features, or are you more impressed when the salesperson shares a client success story that solved many of your current pain points? Which pitch do you remember first when it comes time for vendor selection? For example, AWS utilizes Case Studies as a primary method of communicating customer success, and their business has grown for many consecutive quarters. As we first discussed in Chapter 4 – Value Creation, either you intentionally control the narrative or simply present facts and let someone else fill in the gaps. As a CISO utilizes storytelling to add value inside a business, it is important to tailor each story for the audience, just as you would highlight unique features of your experience in a job interview.
It is time for another science lesson. Oxytocin is a chemical that is produced by our brains when we are trusted or shown kindness. It is released when you cuddle, hug, or practice skin-to-skin bonding with a newborn. A side-effect of oxytocin production is a greater motivation to cooperate with others. Oxytocin allows us to determine whom to trust. Dr. Paul Zak and his research team discovered this chemical. His lab has been able to hack the creation of oxytocin, and their studies have exposed why stories motivate cooperation. His team realized that to “soften up” others to cooperate, the story needed to sustain attention by developing some tension. If successful in creating that tension, then it is likely that the audience will become empathetic to the storyteller or the individuals in the story and continue to be empathetic long after the story ends. Why do we care? Because Zak's experiments demonstrate that character-driven stories that build tension result in a better understanding of the key points the storyteller wishes to make. Listeners are then able to better recall key points weeks later. As you can imagine, his research also shows that storytelling's effectiveness surpasses the efficacy of a standard PowerPoint.12
There are five basic steps in creating a story:13
1. Determine whom you are trying to reach (your audience) and find out as much as you can about them. Recall “Stakeholder Analysis” from Chapter 5 – Articulating the Business Case and be sure to invest time to understand their perspective and specific needs.
· What are their hot buttons? What topics are non-starters? I recently heard of a CEO at a security product company who kicked people out of the room or hung up a call if somebody mentioned the word “COVID.”
2. Figure out what you want them to do.
· Do you want leadership to approve the budget or headcount? Do you need your team to execute on a critical initiative? This is a great opportunity to leverage SCI-PAB® from Chapter 5 – Articulating the Business Case.
3. Think through the challenges that may get in the way of that goal.
· People, process, technology, or budget? Think about security control friction and cost concepts, such as “Opportunity Cost” and “Cost Avoidance” from Chapter 5 – Articulating the Business Case.
4. Find a character who has overcome that challenge.
· What is the common ground? Can you blend prevention and promotion to increase your options (Chapter 3 – Business Decisions)? Appeal to risk reduction over cost (only works if risk reduction is greater than cost), cost savings, speed to market, etc. What workarounds are available for the challenges you identified in step 3?
5. Make sure there's a resolution to your story.
· Everybody loves a happy ending, and nobody loves a story with no end.
In the book Made to Stick, Chip Heath, one of the authors, teaches a course at Stanford. During that course, he puts the student through an exercise where he presents them with data regarding crime in the United States. He splits the class 50/50 into two groups. One group is to persuade the class that nonviolent crime is a serious problem in the United States, and the other group is to convince the class of the opposite. The class rates each speaker after each speech on items such as delivery and persuasiveness. After the class thinks the exercise is over, and after Chip kills time by playing a Monty Python clip, he asks them to write down, for each speaker, ideas they remember. Many students completely froze, not being able to recall a thing.
Interestingly, 63% of the students remember the stories within the speeches, and only 5% can recall any single statistic.14 For cybersecurity leaders, those statistics are analogous to regurgitating KRIs and KPIs. Are you still wondering why the C-Suite and the Board of Directors “just don't get it”?
In short, stories stick. If you want your audience to connect with you, remember you, and most importantly, side with you, learn to use stories.
I venture to guess that many of you reading this book dread and even, on occasion, avoid having difficult conversations. There are three factors that define a crucial conversation:15
1. Opinions differ
2. The stakes are high
3. Emotions are high
In cybersecurity leadership, crucial conversations are commonplace. They include a range of scenarios, such as:
· Reporting detected fraud
· Reporting child pornography to authorities
· Disciplining a friend
· Terminating a team member
· Asking for a raise
· Confronting a top executive about how they have personally contributed to policy violations
· Investigating corporate and extramarital scandals
· Negotiating a starting salary
· Asking for an increase in budget
· Closing the sale on a colossal account
· Delivering bad news to your team
· Speaking with congressional committees and public hearings after a major data breach
· As you can tell by the non-exhaustive list above, difficult and crucial conversations are a challenge that you must tackle head-on as a cybersecurity leader.
This section will, admittedly, seem like a book report for the book Crucial Conversations: Tools for Talking When the Stakes Are High, but we will strive to align it to cybersecurity challenges we all face. It is by far the best and most practical book that I have read on the topic. Like many of you, I do not relish having difficult conversations, and this book helped me navigate some pretty significant minefields after I read it. The book is one tool that I wish I had stumbled across early in my career as it would have saved me much anxiety, but alas, I only came across the second edition around 2015 – a few years after it was published. I will do my best to pull out the key points that have worked for me, but of all the books referenced throughout this book, Crucial Conversations is by far the most versatile and powerful.
The authors outline a seven-step model handling crucial conversations derived based on 25 years of research with 20,000 people. The seven steps are:16
1. Start with the heart
2. Learn to look
3. Make it safe
4. Master stories
5. STATE your path
6. Explore Others' Paths
7. Move to action
I'll walk through these seven steps and describe how to apply each in our day-to-day interactions as cybersecurity leaders.
Start with the Heart
If you start a crucial conversation with a closed mind and the wrong emotions and mindset, it is probably not going to end up well. Suppose you immediately say “no” to a business unit without fully understanding what is at stake (e.g., speed to market to gain a first-mover advantage) because their request will violate a cybersecurity policy or standard. In that case, you will cause friction within the requested business process, your interpersonal relationship, and your need for the organization to view you as a partner vs. an obstacle. Ask yourself what you want and what is really at stake. If you start the conversation with an open mind and the right emotions and mindset, the conversation is more likely to have a positive outcome. If we cannot maintain an open mind or manage our emotions and mindset during a crucial conversation, how can we expect the other party to do the same? It is imperative to remember that your view may not be the only version of the truth and that you may very well be wrong (gasp)! Check your ego at the door. Let us refer back to our favorite software development manager from earlier in this chapter. Our perception and interactions with him were vastly different before and after we decided to stay calm, keep an open mind, ask questions, and listen.
The first step of having a crucial conversation is to have a crucial conversation with ourselves. We are often quick to play the blame game with the other person, but we also shoulder some of the blame. Have you ever been passive-aggressive? Have you ever tried to change someone's behavior through sarcasm or veiled hints instead of addressing the issue head-on?
Most important, we need to maintain mutual respect. Your authenticity will come through in both your verbal and nonverbal communication. Remember, you do not have to like someone to respect them. Bear in mind that often feelings of disrespect come from focusing on our differing views versus our commonalities. Use those commonalities to build a foundational level of respect and build from there. Everyone brings strengths and weaknesses to the relationship and the crucial conversation. Yes, I said it. Even cybersecurity superheroes have weaknesses!
Learn to Look
Have you ever been so caught up in a crucial conversation that although you know it is going sideways, you cannot seem to break out of it? There are three things you need to look for to help head off potential problems before it becomes too late:17
1. Look to spot crucial conversations.
2. Look for safety problems.
3. Look for your style under stress.
Look to Spot Crucial Conversations
Train your brain to look for these three signs:
1. Physical signs: It is no secret that stress manifests itself physically, either acutely in the moment or over the long term. Do you feel your face get flush? Can you start to feel your heart race? Do you lose your train of thought and try to get words out faster than your brain can process? Do you feel a tightness in your throat? What was your first reaction to our development manager from earlier in the chapter?
2. Emotional signs: Are you feeling scared (I have yet to see a cybersecurity superhero admit this)? Anxious? Nervous? Angry? Hurt?
3. Behavioral signs: Do you start raising your voice? Do you get very quiet? Do you point your finger? Do you cross your arms? Do you throw up the universal “talk to the hand”?
There is no universal way to train oneself to pick up on these cues; however, what works for me is pausing, taking a deep breath, and consciously asking myself, “Okay … what are you feeling or observing right now?” Did I just give away my tell at the poker table? Maybe …
Look for Safety Problems
Can you spot when the other party of the conversation is exhibiting the signs we mentioned above? In addition to the above, you can spot signs that you, or the other person, are afraid and feel unsafe in the conversation by detecting shifts in the conversation's content.
A safe conversation implies that it is safe to say anything without judgment and fear of the other party blowing up. Free-flowing dialogue is essential in a crucial conversation, and nothing kills a free-flowing dialogue like fear.
Another sign that a conversation may be getting unsafe is when you or the other person seem to lose focus. When emotions kick in, some cognitive brain functions shut down. It is easier to identify losing focus than admitting we are getting emotional. When you recognize you are losing focus, try to detach and react (as Jocko Willink puts it). Relax, look around, and make a call on how to flip the conversation from unsafe to safe. Do something to fix it. As the authors put it, CRIB it to get the conversation back to a safe space and back to a mutual purpose. CRIB stands for:
· Commit to seeking a mutual purpose
· Recognize the purpose behind the strategy
· Invent a mutual purpose
· Brainstorm new strategies
Look for Your Style Under Stress
The authors outline six styles that we use when we are under stress. It is essential to recognize those patterns so that you can detach and react accordingly to fix the conversation's safety.
The six patterns are lumped into two groups: silence patterns and violence patterns. Silence patterns include actions meant to withhold or omit information from the conversation purposefully. Violence patterns consist of attempts to control, coerce, or punish others.
· Masking: Understating or selectively showing your genuine opinions. Sarcasm and sugarcoating are both examples. We never see this among our cybersecurity peers. Never …
· Avoiding: Steering entirely away from sensitive topics. I once had a peer steer away from a sensitive topic by sarcastically suggesting that we move to another sensitive topic (masking). The quote was something to the effect of, “Let's stay away from the sensitive topics, and end this meeting with a prayer.”
· Withdrawing: Pulling out of a conversation altogether by exiting the conversation or leaving the room. I admit I have been guilty of this in the past. The reason was partly frustration and partly to make a point that the conversation was going nowhere. In hindsight, that is not the best way to “reset” the conversation.
· Controlling: Coercing others into your way of thinking through forcing your views on them or dominating the conversation.
· Labeling: Putting a label on people or ideas to dismiss them as a stereotype or category.
· Attacking: Moving from winning to making the person suffer.
The authors have a self-scoring test that you can take at www.CrucialConversations.com/exclusive (requires registration).
Make It Safe
We need to make a person feel “safe.” Not in the “safe spaces at universities” kind of way, but safe in the way they feel comfortable participating in a two-way, free-flowing dialogue with you. The safer they feel, the more likely they are to open up. The less safe they feel, the more likely they will either close down or fight back.
Sometimes, we focus so much on words and fail to pick up on nonverbal cues. Specifically, we miss nonverbal cues that the other person may no longer feel safe in the conversation. We need to be ever-conscious of the conversation's content, the context of the conversation, and ourselves.
By detaching from the conversation when we sense it is becoming unsafe, we remove ourselves from the conversation's content, which allows us to refocus on the desired result. We can then shift focus to the context of the conversation and clear up any misunderstandings. How often have we tried to state something positive that was misunderstood or misinterpreted by the other person? This is the time to fix it. We did this earlier in the chapter in our conversation with the software development manager through the following dialogue:
“How much more time and effort does it take to fix a critical vulnerability early in the development process vs. after the code is promoted to production?”
“I see where you are going, but salespeople keep promising features we haven't developed yet!”
“I understand, but let's get back to what impacts your bonus checks, not theirs. How much more time and effort does it take to fix a critical vulnerability early in the development process vs. after the code has been promoted to production?”
You sensed that the manager was starting to feel unsafe as he was beginning to get defensive and attempted to shift the focus of the conversation. You were able to detach, evaluate, and reset the conversation by turning the manager's focus on something that he cares about … his bonus. You were able to establish mutual purpose by signaling that you wanted to ultimately reduce his workload by addressing vulnerabilities earlier in the software development life cycle (SDLC) rather than later. You were able to demonstrate that you were listening to him openly and respectfully. Doing so led to the manager opening up and sharing more as the conversation progressed until we found ourselves on common ground. Ultimately, you were able to restore.
Crucial conversations involve emotion. Emotions are contagious, and that's where we'll continue to focus. So, how do we stay out of our emotions during the conversation? Essentially, how do we keep a poker face? Make up a story. It is not a story that you will spell out in your actual conversation, but rather a story to yourself that outlines what you are feeling. Stories allow you to explain to yourself what you are feeling and whether it is good or bad.
Stories drive feelings, and feelings drive actions. Therefore, if you can change the story, you can change your actions. The path to action is shown in Figure 8.1.
FIGURE 8.1 Path to Action
For example, you may be in a meeting about a project that is going off-track:
· See/Hear: Bob just said that he was waiting for a critical piece of information from me that caused him to miss an important deadline.
· Tell a Story: This is not true. Bob is trying to throw me under the bus for his ineptitude, and if I speak now, I will look defensive.
· Feel: Angry, betrayed
· Act: Withdraw, or become snippy
Obviously, this is not a good story, and you have lost control of the conversation. The way to change a story is to retrace your path to action by shifting your mental gear into reverse:
· Act: Pay attention to your behavior. Are you exhibiting one of the six Styles Under Stress?
· Withdrawing from the conversation is a silence pattern.
· Feel: What are you feeling? Be precise. Understanding what you feel presents a more accurate picture of what is happening and why. Are you outraged, or are you, in reality, embarrassed? While you will not break out a tool to help you determine how you are feeling in the heat of the moment, you can improve your self-awareness by using a tool like the one Lindsay Braman created at https://lindsaybraman.com/emotion-sensation-feeling-wheel/.
· Bob has never acted this way in the past. I am more surprised than angry.
· Tell a Story: Analyze your feelings and original story. Are your feelings appropriate? Are you telling yourself the right story? Remember, stories drive feelings, and we make up the stories. Be sure not to confuse stories with facts.
· I have never seen Bob throw anyone under the bus before, so there likely is not any malice behind his comments.
· See/Hear: Focusing on behavior allows you to separate fact from story. “Bob lied” is different from “Bob is mistaken.” “Lied” implies intent to deceive, and you can't be certain of Bob's intent.
· Bob is mistaken, but why? Where is the communication breakdown?
By taking this approach, we can change the story. We can now proceed with having a conversation about where the communication breakdown occurred and how to prevent it from happening again.
STATE Your Path
To proceed with the above conversation safely requires a few things:
· Confidence in yourself to have the conversation
· Humility and self-awareness to not get worked up so that you can keep the conversation safe
· Skill to maintain the free-flowing dialogue
The STATE method can help in this regard: STATE stands for:18
· Share your facts
· Start the conversation with the observable facts and not the story that is driven by your emotions and assumptions.
· Facts are the least controversial and provide a safe beginning.
· Facts are the most persuasive and form the foundation of belief.
· Facts are the least insulting because your story (assumptions) could surprise and insult others and immediately kill the safety of the conversation.
· Tell your story
· The facts plus your story (assumption) warrants the conversation in the first place.
· If the person becomes defensive, be mindful of your State Under Stress, detach and bring the conversation back into safety.
· Ask for others' paths
· After you share the facts and tell your story, ask the other person to do the same.
· Listen actively and be open-minded to rebuild your story as more information is presented.
· Talk tentatively
· Remember that your story is an assumption and not a fact.
· Share the story as a possibility, not as a certainty.
· In short, share your story as a story and not as a college lecture of facts.
· Encourage testing
· Invite opposing views and mean it!
· Play devil's advocate on your own views.
· Do it until your motive becomes obvious.
· The degree to which you encourage testing is a test of whether your motive is to win a debate or to engage in real, free-flowing dialogue.
The first three skills describe what to do, and the final two describe how to do it.
Explore Others' Paths
Exploring others' paths is, effectively, getting the other person to retrace their story. You can accomplish this by:
· Inviting others to share what is on their minds and to be sincere. Think about it. How often have you been able to sense the insincerity in others?
· Genuinely be curious.
· Stay curious. It is easy to get wound up as the other person's version of the facts emerge. Staying curious helps keep you grounded.
· Be patient. Give the other person time and space to build safety by recounting their version of the facts.
Easier said than done, you say? Well, fortunately, the authors give us a set of skills to facilitate getting the other person to retrace their story, which uses the acronym AMPP:19
· Ask to get things rolling. Be mindful of not expressing your biases.
· Mirror to confirm feelings. Mirroring establishes rapport and safety.
· Paraphrase to acknowledge the story and to ensure that you understand their story without sarcasm or bias.
· Prime the pump. When all else fails, you may share your interpretation so that the other party can steer you to a better interpretation, if needed.
What if, after all of the above, you still disagree? What if the other person's facts are entirely off base and their story (interpretation) does not align with yours? Go back to your ABCs:20
· Agree: People often disagree on a small minority of the facts and stories. Recognize when do, acknowledge it, and move on.
· Build: Do not create a mountain (an argument) from a molehill (a small disagreement of the facts and stories). Acknowledge the common ground and build from there.
· Compare: Try not to directly call a story “wrong.” Try comparing your story with the other person's. Comparisons generate more dialogue rather than emotions.
Move to Action
Now that you have completed the first six steps of managing a crucial conversation, now what? How many plans have you seen, or how many meetings have you attended, where nothing happened as a result? Nobody did anything about the plan, meeting ideas and decisions, etc.
Getting stuff done 101 dictates that to get stuff done, you must do two things. First, you must agree on how a decision will be made. Second, you must have a plan with assigned responsibilities and accountability.
Agree with how to decide before making a decision. Several variables may determine how to proceed, such as whether one person can decide or if the decision needs to be made by committee. There are four forms of decision-making:
Many organizations have defaulted to one of the above through the evolution of their culture over time. The culture may be hierarchical, command and control, or the culture may be one to build consensus to the extent where nobody bears any responsibility. Four guiding questions help determine which approach fits best for the given situation:
1. Who cares about the decision?
2. Who knows what is needed?
3. Who must agree on the decision?
4. How many people is it worth involving?
A decision is pointless without a plan. It is critical to establish who does what by when with defined deliverables, assigned ownership of those deliverables, and deadlines. It is also important to lay out follow-up timeframes and methods (e.g., email, meetings, video calls) to ensure that the deliverables are on track and on time. The best-laid plans are challenged once you get punched in the face (Mike Tyson said something similar), but one thing is for certain. Without a plan, the decision will likely fade away.
Presenting a brief on your cybersecurity program to your executive leadership team or board of directors is one of the most positive crucial conversations you can have as a cybersecurity leader. These conversations can make or break your cybersecurity program from a visibility, budget, and overall resource perspective.
Let's go back and review the case study from the “Application” section of Chapter 7 – Translating Cyber Risk into Business Risk. To refresh the stage, one of my clients services the energy sector, and there was a new CIO on board and mostly new company leadership. The new CIO had several concerns about the protection of sensitive data and industrial control systems. After the assessment, we went to the board to get funding to mitigate the key risks that we identified. Below is how part of that conversation occurred to the best of my memory and my notes. Particularly sensitive information is omitted.
BOARD MEMBER #1:
“Thank you for the briefing. Admittedly, we have typically seen cybersecurity as ‘insurance’ with no return on investment, but you certainly raise some valid points. Let's start with the first issue. Why should I care about industrial control systems connected directly to the Internet? Isn't that an Operations issue?”
“Sir, thank you for the opportunity. If I understand you correctly, you are asking why we are addressing this issue at the board level? In other words, you would like to understand the impact of the risk better?”
BOARD MEMBER #1:
“Yes, I believe that is a fair representation of my question.”
“In the world of operational technology, or OT, cybersecurity has a direct impact on safety. That is why we partnered with Operations, HR, and Environmental, Health, and Safety teams to roll out a security awareness plan to highlight cybersecurity risk across the Operations teams. However, awareness is only one part of the puzzle. Operations has a different culture than back-office IT. What is the #1 thing that keeps you up at night regarding operational risks?”
BOARD MEMBER #1:
“Safety to our employees, of course.”
“Good. This is exactly why safety metrics are part of the organizational KPIs. Since operational technologies control physical processes, a compromise in the OT environment can directly impact employee safety. A cybersecurity compromise within OT has a different impact than within the traditional IT environment. The threats, vulnerability, and risks are different in OT.
The solutions we presented would first prevent access to the OT environment from the internet and segment the operational technology environment from the IT corporate network, where a compromise is more likely to occur and pivot. Our roadmap then matures cybersecurity within the OT environment in a separate phased, yet parallel, path to the IT cybersecurity program.”
BOARD MEMBER #2:
“We understand the significance of the problem. Thank you. Now that we've addressed that, let's move to another point. How exactly are we losing sensitive sales information?”
“Thank you, ma'am. So that I am clear, I understand that you are concerned with sales information that may materially impact the organization's revenue, leaving the organization and being used by a competitor?”
BOARD MEMBER #2:
“Yes, that is correct.”
“Thank you. The main issue here is surrounding the ‘Bring Your Own Device’ policy. The organization decided to allow employees to use their personal devices for work; however, controls such as the proposed mobile device management and data loss prevention solutions were not implemented in conjunction with the policy. As a result, when individuals, such as salespeople, leave the organization, there is nothing in place to ensure that information such as customer lists, prospective deals, and ongoing projects do not go with them. The risk is that these individuals can take these lists with them to their new organization, which is likely a competitor. Based on my interview with your Chief Financial Officer, the average deal size in flight is in the millions. What is your risk appetite around losing these deals, or this type of competitive sales intelligence landing in the hands of a competitor?”
BOARD MEMBER #2:
“Our risk appetite is very low for this. Depending on the deal size, even one single deal shifting to a competitor could be material.”
“Even one single deal shifting to a competitor could be material?”
“Thank you. That is very enlightening. The solutions and budget that we have proposed for the next year cost less than the 12-month average of a single deal. In that light, should we move on to discussing exactly how that budget will be allocated and measured?”
BOARD MEMBER #2:
“Your ask is completely reasonable given that perspective. I fear you may be asking for too little, given the size and scope of the environment. Yes, let's move on to discussing the budget request in more detail.”
There you have it. As I mentioned in Chapter 7 – Translating Cyber Risk into Business Risk, we secured the budget. Note that I used several techniques outlined in this chapter, including AMPP, the process of summary, and some of the Socratic method. You can't see the smile and confident body language that I made a conscious effort to maintain, yet still seem genuine. We often think of crucial conversations in a negative light, but with some practice, you can turn them into a positive for your cybersecurity program!
· Above all else, listen. Summarize the other side of the conversation back to the other person to ensure that you correctly understand their meaning and intent.
· Ask questions. Sometimes, answering a question with a question can get you answers and consensus.
· Smile. Smiles are contagious.
· Be mindful of your body language.
· Ensure your subordinates, peers, and executives understand “why.” In the case of subordinates and peers, do they understand your commander's intent? Do you fully understand your leadership's commander's intent?
· Share battle stories. People understand and comprehend stories better than facts.
· Tackle crucial conversations head-on. Practice the seven steps and several techniques we outlined above. Don't be afraid to role-play with a spouse or a trusted colleague.
1. 1 Klemmer, E.T., and Snyder, F.W., “Measurement of Time Spent Communicating,” Journal of Communication 22(2) (1972): 142–158. https://doi.org/https://doi.org/10.1111/j.1460-2466.1972.tb00141.x.
2. 2 Goulston, M., Just Listen: Discover the Secret to Getting Through to Absolutely Anyone, AMACOM, 2015.
3. 3 Peterson, J.B., Doidge, N., and Van Sciver, E., 12 Rules for Life: An Antidote to Chaos. Random House Canada, 2018.
4. 4 Peterson, J.B., Doidge, N., and Van Sciver, E., 12 Rules for Life: An Antidote to Chaos.
5. 5 Peterson, J.B., Doidge, N., and Van Sciver, E., 12 Rules for Life: An Antidote to Chaos.
6. 6 Wilberding, E.P.D., Socratic Methods in the Classroom: Encouraging Critical Thinking and Problem Solving Through Dialogue, Prufrock Press, Inc., 2019.
7. 7 Canegie, D. and Associates and Cole, B., How to Win Friends & Influence People in the Digital Age, Simon & Schuster Paperbacks, 2011.
8. 8 Fowler, J.H., and Christakis, N.A., “Dynamic Spread of Happiness in a Large Social Network: Longitudinal Analysis Over 20 Years in the Framingham Heart Study,” BMJ (Online) 338(7685): 23–26. https://doi.org/10.1136/bmj.a2338.
9. 9 Pease, A., and Pease, B., The Definitive Book of Body Language, Bantam Books, 2004.
10. 10 Willink, J., and Babin, L., Extreme Ownership: How U.S. Navy Seals Lead and Win, St. Martin's Press, 2017.
11. 11 Black, M., “Something that Feels Authentic”: StoryCorps's Dave Isay on Storytelling, The Communications Network, n.d.
12. 12 Zak, P.J., Why Your Brain Loves Good Storytelling, Harvard Business Review, 2014.
13. 13 Biesenbach, R., Unleash the Power of Storytelling: Win Hearts, Change Minds, Get Results, Eastlawn Media, 2018.
14. 14 Heath, C., and Heath, D., Made to Stick: Why Some Ideas Survive and Others Die, Random House, 2007.
15. 15 Patterson, K., Grenney, J., McMillan, R., and Switzler, A., Crucial Conversations: Tools for Talking When the Stakes Are High, McGraw Hill, 2012.
16. 16 Patterson, K., Grenney, J., McMillan, R., and Switzler, A., Crucial Conversations: Tools for Talking When the Stakes Are High.
17. 17 Patterson, K., Grenney, J., McMillan, R., and Switzler, A., Crucial Conversations: Tools for Talking When the Stakes Are High.
18. 18 Patterson, K., Grenney, J., McMillan, R., and Switzler, A., Crucial Conversations: Tools for Talking When the Stakes Are High.
19. 19 Patterson, K., Grenney, J., McMillan, R., and Switzler, A., Crucial Conversations: Tools for Talking When the Stakes Are High.
20. 20 Patterson, K., Grenney, J., McMillan, R., and Switzler, A., Crucial Conversations: Tools for Talking When the Stakes Are High.