Part III

Cybersecurity Leadership

CHAPTER 9

Relationship Management

Get closer than ever to your customers. So close to them that you tell them what they need well before they realize it themselves.

— Steve Jobs

Opportunity

In the age where seemingly every company is undergoing a “digital transformation,” cybersecurity leaders have a unique opportunity to flip the narrative on cybersecurity. Cybersecurity is one of the few groups within the organization with the tools and capabilities to build visibility into most, if not all, of the organization's critical business processes and data flows. In Chapter 2 – Business Strategy Tools we reviewed this unique vantage point in the context of value stream mapping. Again, this level of visibility allows cybersecurity teams to be a crucial partner in building business resilience, enabling process improvements, and increasing competitive advantage.

The business needs cybersecurity involved early and often in digital transformation initiatives because they need proactive cybersecurity insights and strategies for success. Fostering relationships with the C-suite and other business unit leaders allows cybersecurity leaders to learn about digital transformation initiatives early-on. We described the process of Stakeholder Analysis and Influence Maps in Chapter 5 – Articulating the Business Case. Along with the business acumen we have covered in this book up to this point, cybersecurity can get ahead of potential risks by engaging business unit leaders early regarding the key technologies they rely upon to generate business value. Recall the Beverage Manufacturer Case Study of Chapter 4 – Value Creation. Cybersecurity teams can proactively research these technologies, anticipate the need for new technologies as each business unit embarks on a digital transformation initiative, proactively identify cyber risk, and bring recommended risk mitigation measures to the table. In order to deliver on this promise, you must have solid relationships.

Principle

Like it or not, cybersecurity is a team sport. A wide receiver on a football team cannot catch any balls without a quarterback throwing the ball, and a quarterback cannot throw the ball without an offensive line that blocks for them. The same goes for a cybersecurity team. A cybersecurity team cannot operate in a vacuum, and a robust cybersecurity program relies on individual technical skills and interpersonal relationships across cybersecurity, IT, and other business units.

Cybersecurity teams cannot rationally complain that “people are the weakest link,” yet isolate themselves from those very people. Unfortunately, this approach is commonplace, which leads to those teams being alienated and the cybersecurity team being marginalized. The most effective cybersecurity leaders develop trusted relationships with other business leaders to foster a culture of security across the organization. As discussed in Chapter 6 – Cybersecurity: A Concern of the Business, Not Just IT, implementing and enforcing security controls is much more effective when cybersecurity is done with the business and not to the business. To accomplish this, you must develop positive relationships across the organization and at all organizational levels.

Relationships across and up your chain of command with other leaders, executives, and your board members require you to establish an executive presence to ensure you gain support and resources for your cybersecurity program. Relationships with your peers allow you to execute on a cybersecurity strategy. For example, cybersecurity often relies on Audit Committee members, IT teams, and system administrators. We need their critical insights to aid with setting priorities, securely configuring systems, asset management, executing change control, and even applying patches. Finally, relationships down your chain of command ensure that your entire team is aligned and engaged.

Relationships external to your organization are also critical in succeeding in your current role and preparing for your next role. Networking and developing relationships with peers at other organizations and in other industries can facilitate the sharing of information about current and emerging threats and can provide different perspectives on solving challenges you currently face. Networking helps accelerate your growth as a cybersecurity leader. The more you give, the more you gain. Lest we forget, our external interactions include product vendors, service providers, auditors, regulators, and even our customers. People comprise each of these organizations, and strong relationships with these outside parties are necessary for a truly resilient cybersecurity posture. Indeed, whether you are building and improving relationships internal or external to your organization, you cannot do so without trust.

In this chapter, we will focus on building and maintaining relationships through four key traits:

· Establishing and Maintaining Trust

· Indirect Influence

· Managing Through Conflict

· Professional Networking

Establishing and Maintaining Trust

If you were hoping for a conversation on “Zero Trust” or “HITRUST,” then I'm sorry, but not sorry, to disappoint. Establishing trust is not an option if you, as a cybersecurity leader, wish to elevate your profile within the organization and be invited to strategy discussions. Your capacity to build trust is a primary predictor of your success. Cybersecurity leaders have to establish trust across a wide variety of stakeholders. So, it is essential that our teams consider the organization's interests first when acting upon cybersecurity risk. Otherwise, we risk reverting to the “Department of No,” as a group of paranoid tech guys in the dark corner worried about esoteric improbabilities.

As a leader, you need to establish trust with your employees and peers. Others need to have confidence that you “have their back.” In particular, your employees need to know that you have the team's best interest in mind when making decisions. Empire building and personal glory are two ways cybersecurity leaders can leave others feeling betrayed. Thoughtful integrity in vital moments of choice and fervent alignment with your highest values demonstrate your commitment to your team. Even when you execute flawlessly, it is easy for others to misinterpret your actions. Sometimes we face difficult decisions. You must be maniacal in demonstrating loyalty and commitment to shared values.

It is hard to overstate the value of establishing trust across your organization. Trust gets you that coveted seat at the table. Trust brings you an increased budget and resources for your cybersecurity program. Trust allows you to leverage other teams to execute your cybersecurity priorities (e.g., procurement for third-party vendor risk management). Trust enables you to retain employees and reduce the cost of employee turnover. This list is by no means exhaustive, but I'm sure you get the point.

There are numerous books and resources out there about establishing trust. Here, I am going to boil it down into five points that have proven useful while building trust.

1. Say what you do and do what you say.

2. Be authentic and congruent.

3. Be transparent.

4. Shut the hell up and listen.

5. Be humble.

Say What You Do and Do What You Say

There is the old axiom that “trust takes years to build, seconds to break, and forever to repair.” In fact, Stephen Covey, a world-renowned leadership expert, says that keeping commitments “is the ‘Big Kahuna’ of all behaviors. It's the quickest way to build trust in any relationship – be it with an employee, a boss, a team member, a customer, a supplier, a spouse, a child, or the public in general.”1

Think about a time when someone failed to keep a promise or commitment. Have you ever been promised a promotion only for it to fall through? Have you ever been stood up at a meeting without a courtesy “I need to reschedule” email? How did it feel? The person who failed to keep the promise may not have had control of all of the factors that contributed to your disappointment. I'll bet that didn't stop you from feeling like you misplaced your trust.

Now, let us switch roles. When you tell your boss that you'll have your budget ready by the end of the week, make sure that you do. If you say to a co-worker that you do not have an answer to their question but that you will research it and follow-up with them, make sure that you do. If you tell an employee that you will review a work product and provide feedback, make sure you do. I understand this sounds simple, so why do we have such a hard time keeping promises at work? Nobody is perfect and we have all missed deadlines and broken promises; however, earning a reputation for keeping your promises will establish your reliability and strengthen your working relationships. Making and keeping commitments is the foundation of integrity, one crucial element in establishing trust.

Let's go back to our development manager's story from Chapter 8 – Communication – You Do It Every Day (or Do You?). If you recall, we tell the development manager that if he agreed to set up a meeting with his management to prioritize fixing security vulnerabilities, they might even come out of the conversation with an additional headcount to tackle the challenge. Even though this was not a solid promise, the inference is that you will fight for that headcount. If you go into that meeting caring only about your self-interests (fixing vulnerabilities) vs. theirs (resources), the development manager may likely view that as a broken promise. Integrity is not something to be taken lightly.

Here are some things I have learned throughout my career to help me keep my promises. Some, I learned the hard way:

· Just say “no”: We all want to be liked. Rather than offering a counterfeit “yes,” establish boundaries and know what commitments you can (or want) to accept. When in doubt, politely decline or negotiate (more on this in Chapter 12 – Negotiation). Empathy is key here. Imagine that you promised to send an employee to training and then fail to come through on that promise. Be prepared to lose that employee to an organization that will. Perhaps a downturn in the market resulted in budget constraints, which is clearly entirely out of your control, but that may not matter. In addition to careful negotiation and empathy, language precision can help mitigate the risk of broken promises. For example, you might communicate that “Training is in the budget. Please hurry and submit your training request so that we can pay for it while the budget is still available.” In this way your intent is clear, and if your capability to deliver is diminished, there is no confusion.

· Create a trigger: First, precisely clarify your commitment. Utilize the “Process of Summary” from Chapter 8 – Communication – You Do It Every Day (or Do You?) to confirm a common understanding with others involved. Then, establish a trigger. I capture my commitments as a task in my calendar, which ensures that I proactively allocate time in my calendar to honor my word. Finally, stay disciplined. It is easy to think, “I have some time to catch up on emails before tackling that task.” Ten-minute distractions have a tendency to evolve. When they do, you are placing your integrity at risk.

· Apologize and take ownership: It will happen. You will break a promise someday. It is almost as certain as death and taxes. How you handle breaking a promise will impact your ability to mend the relationship and rebuild trust. Priorities shift, emergencies occur, equipment breaks. Often, the circumstances are out of your control. There is a difference between making excuses and being transparent. A sincere apology can make a huge difference. Don't be a victim. Don't make excuses. Especially do not blame others or cite your “bad luck.” People who sincerely apologize and take ownership strive to find a workaround or an alternative solution. They then endeavor to avoid reoccurrence of the transgression. We suggest you follow this pattern.

Be Authentic and Congruent

Consistency builds trust, and results matter. When you need to delegate a critical assignment, to whom do you turn? Do you rely upon the person who is consistent in meeting goals or gamble with someone who may deliver excellent results one week and disappoint the next? Inconsistent results are bad for business and bad for your reputation.

Think back to a person who said one thing and did another. Politicians on both sides of the aisle are notorious for this behavior. An empirical poll of my friends reveals that politicians are less trustworthy than gas station sushi! As leaders, we need to be consistent in our communication, actions, and behavior. Stephen Covey calls this “congruence” when the three come together in a truly authentic fashion.2 Consistently demonstrating congruence validates that you are trustworthy.

Early in my career, at a Cisco conference, John Chambers, then Cisco CEO, gave the keynote speech. Mr. Chambers spoke for an hour walking throughout the audience and never referenced his slides. His speech was not memorized. The passion, inflection, and charisma he displayed could not be rehearsed. I remember looking around the entire auditorium and noticing that people were mesmerized by his presence. Everyone was entirely focused on him. I could tell that the message was completely genuine. After the keynote, I hunted down some of my colleagues and confirmed that their experience matched my own. Mr. Chambers's congruence drove high-performance at Cisco. His authenticity inspired an entire company to uniformly pursue the mission. When you have this level of congruence, why would you need notes? John Chambers's results speak for themselves and consistency played a major role.

Be Transparent

Usually, when you hear the phrase, “I can see right through you,” it means that someone can see your inauthenticity. Well, I want people to see right through me, but not because I am inauthentic. Rather, I strive to be as transparent as a pane of glass on a bright summer day!

However, don't confuse being transparent with being an asshole. You need that filter between your brain and your mouth. What's more, oversharing about your struggles can diminish others' confidence in your skill as a leader. Still, building trust through transparency involves sharing the good, the bad, and the ugly. Further, you need to create an environment where others can feel safe sharing their concerns. Transparency has incredible benefits in establishing trust:

· Transparency expedites trust.

· Transparency creates buy-in.

· Transparency fosters employee empowerment.

· Transparency enables faster negotiations and better decisions.

In a past role leading a cybersecurity program for an energy company, I endeavored to be an open book with my employees. I tried to create a transparent culture when I shared everything necessary with everyone on my team. This transparency led to employee empowerment. Team members could make impactful decisions on projects or other challenges without consulting me continually. This transparency also led to an environment where someone could walk into my office and tell me that I was making a stupid decision (backed with facts) when they felt I was doing so.

However, transparency can have unintended consequences too. When a much larger organization acquired us, I tried to be as transparent as possible. I wanted to minimize the uncertainty that comes with being acquired. My transparency led to information overload. It also fostered endless speculation about post-merger integration, including future organization structures and the potential of terminations. People wanted to know if they were going to have jobs, and if so, who was going to be their boss? As a result of my commitment to transparency we had to spend more time on capturing buy-in, fortifying trust, and confronting a dip in employee morale. It was an unhealthy and a disempowering dynamic I wish I would have avoided. As a leader, you must find a balance between being transparent and being too transparent.

Shut the Hell Up and Listen

We talked about the importance of listening in effective communications in Chapter 8 – Communication – You Do It Every Day (or Do You?) and highlighted some key listening skills; however, listening is just as crucial in establishing trust.

Newsflash: You do not have all of the answers all of the time; therefore, you must listen to ideas and feedback from your employees, peers, and superiors and integrate the information you learn through that feedback into your decisions. Doing so instills trust because those around you, particularly those who may be impacted by the decision, feel what they have to say matters.

I will never forget my first “all-hands” departmental meeting at a new job. The timing of my hire made it so that the meeting happened to be during my first week. I reported directly to the department head, and this meeting was an opportunity to highlight successes, talk through challenges facing the department and the broader organization, and raise any concerns. On that day, I was slapped in the face by the impact listening has on building and maintaining trust. The department head, who was very competent in managing a department and navigating difficult internal and external obstacles to achieve goals, finished the meeting. As he was wrapping up, he asked if there was anything anyone wanted to discuss with his head looking down as he was collecting his things. A couple of people raised their hands, but before he even looked up, he turned around, left the room, and then we all heard the large “thud” of the door slamming shut behind him. Everyone looked at each other. Some stared in disbelief, and others looked as if this was expected. At that instant, I knew this person was a department head by title only and that his team did not have any trust in him. Yes, the department head could allocate resources and navigate challenges, but he had no interest in listening to his employees and receiving suggestions or feedback. That was one of the first impressions I had of the department head at my new job, and he never gained my full trust as a result.

Be Humble

Jim Collins, author of Good to Great and Great by Choice, once said to a large forum of business leaders that “The x-factor of great leadership is not personality, it's humility.”3 Humility instills trust because humility, by definition, means “freedom of pride or arrogance.”4 A lack of pride or arrogance helps to establish trust because it shows that you are okay with not being the smartest person in the room, that you don't have (at least don't show) an ego, and that you are willing to give others a chance to step up and perform.

In the book Dichotomy of Leadership, Leif Babin spells out the importance of humility that Jocko Willink impressed upon his SEAL team, Task Unit Bruiser, during the battle of Ramadi in Iraq. Babin goes on to say:

Being humble also meant understanding that we didn't have it all figured out. We didn't have all the answers. It meant we must learn from other units that had been in Ramadi longer and work with them to support our chain of command and support the mission. It wasn't about how many operations we conducted or how many bad guys we dispatched…

… Being humble meant understanding the importance of strategic direction from our boss. It meant doing all we could to support the conventional forces we worked with, the Iraqi soldiers we trained and combat advised, and of course our chain of command. Being humble meant we put our heads down and got the job done as directed to the best of our ability.5

Do you see a corollary to a cybersecurity team here? Imagine sitting in a security operations center (SOC). I believe that humility ultimately drives a successful SOC. In a typical layout, the tier 1 analysts are the most junior people on the team and are situated in the front, eyes on glass, waiting for an alert to pop from the SIEM to notify them of an anomaly or a possible security event. If, after an initial triage, the potential security event requires further investigation, the tier 1 analyst must first be humble enough to realize that they have reached the end of their capabilities and secondly, to be humble enough to escalate to the tier 2 analysts in a timely fashion. Tier 2 must be humble enough to investigate the incident while sharing their knowledge and experience with tier 1. Tier 2 analysts must also be humble enough to escalate to a focused operations team. By this point, the security event likely is escalated to a security incident, yet the focused operations team must be humble enough to share their knowledge with tier 2 while investigating the incident.

Finally, the focused operations team must be humble enough to engage the critical security incident response team (CSIRT) should the security event escalate into a high priority security incident. In an SOC, it is never about how many alerts pop up in a SIEM or how many events you can triage and investigate by yourself. It is always about having the humility to know that you are part of a broader team that can put your heads down together and get the job done to the best of your ability. At this point, some of you may be saying, “There is no humility here; the SOC playbook is telling them when to escalate.” True, the SOC playbook outlines when to escalate from one tier to another, but I challenge you to show me one SOC playbook that says the higher tier in the SOC must take time during what could be a very hectic time investigating an incident to share knowledge with the lower tier. Humility fosters trust throughout this entire ecosystem.

Just as there is a balance in being transparent, there is a balance in being humble. Being humble does not mean being weak and just shutting up and taking orders. It means recognizing there is a broader strategy in place that you or your team support and putting it ahead of your self-interests. Unlike the SEAL teams deployed in foreign conflict, I venture to guess that most of you reading this are working at your organization of your own free will. Therefore, humility also means knowing where your principles are drawn in the stand and fighting like hell not to cross that line, even if it means polishing off your resume.

As a leader, it is vital to press the importance of humility within your team, and it is also important to exhibit humility yourself. One of the most effective ways I have found to do this is to take a “the buck stops here” mentality. In other words, as a leader, you take all of the blame when something goes wrong but redirect all of the praise to your team when things go well. A leader is always responsible for what happens on a team, especially when things go wrong. When you accept the blame for your team, you set an example of ultimate accountability. On the flipside, when a leader deflects praise to his team, he tells his team that all of their individual efforts led to the team's success.

Now that you understand how to lay the foundation of the relationship by establishing and maintaining trust, let us examine how to expand upon relationship management via indirect influence and managing conflicts.

Indirect Influence

As a former CISO and now CEO and consultant, people ask me all the time about how to “manage up.” Managing up depends on several factors, including the group you belong in and the individual you report to. There is a great debate among the cybersecurity community of where the chief information security officer should report. Should they report to the CIO, CFO, general counsel, or even the CEO directly? Firms like Gartner, Forrester, and McKinsey publish reports that the CISO is moving out from under the CIO. However, my non-scientific, boots-on-the-ground experience does not support that (although my co-author does report directly to the CEO). My answer? It depends. Many different factors go into determining an optimal reporting structure. I will set an unpopular stake in the ground and say that a cybersecurity leader's reporting structure does not matter.

I think the real question is, “How do you deal with a bad reporting structure?” If you find yourself in a bad reporting structure, focus your efforts on the things you can control. You can control how you deal with it. You can control how you influence others, regardless of reporting structure, including your boss.

Indirect influence means that you keep your objective or goal in mind and take some action other than dealing directly with the person or group whom you wish to influence. Using indirect influence can mean either that you work through other people or use other means to accomplish your objective. For example, you may ask other business units, such as sales teams or procurement, to openly recognize your efforts and signal to leadership the need for allocated resources to the cybersecurity program. You may also…wait for it…collaborate with auditors and external penetration testers to highlight language in their findings that may tip the scales for securing funding for a new initiative or for hiring new staff. Ensure that you use indirect influence openly, though, so that it is not confused with manipulation, in which you intentionally hide your motivations and agenda.6

B. Kim Barnes outlines when indirect influence is more effective:7

· You don't have access to the person or group you wish to influence because of political, geographic, language, cultural, or other issues.

· Imagine being based in the United States and working closely with a group out of Ireland or India, which has a less than cooperative business unit leader, to implement new security controls within their business unit.

· You have not established a good influence relationship with a critical person, and the issue is urgent enough that you do not have the time to build one.

· Think about being relatively new to an organization that was a victim of the late 2020/early 2021 Solargate breach. Now think about convincing the CFO that your organization should be proactive and rip-and-replace its network monitoring infrastructure at a high cost, even though no tangible negative impact has occurred to your organization yet.

· The other individual does not believe you have the relevant knowledge, expertise, or status that would be the appropriate power sources for this influence issue.

· You are trying to work with a profitable, revenue-generating business unit to resolve a compliance finding. The business unit leader brushes you off because, well, in their mind you do not understand their critical business processes, and if it isn't broken, don't fix it. Furthermore, he does not give you the time of day to convince him that this particular process or technology implementation is in fact broken. In this case, you may work through your internal audit team to place emphasis on resolving the issue as the internal audit team typically has the standing and power within the organization to influence change.

· You don't have the power, or political capital, to be effective using direct influence.

· I recently spoke to a CISO who reported to a CIO that continuously failed to prioritize and allocate budget to cybersecurity to allocate more resources to project that would elevate the CIO's profile within the executive team (until there was a significant cybersecurity incident, of course). The CIO consistently bypassed existing security controls and standards, so the CISO felt an apparent conflict of interest. The CISO felt there needed to be more separation of duties between cybersecurity and IT. The CISO worked through the CFO and the general counsel to affect a reporting change that resulted in the CISO, and their team, reporting to the general counsel. The general counsel had the power and political capital to raise risks to the C-Suite and ensure that cybersecurity was better integrated into IT projects and enterprise risk management.

· You have been trying to influence directly and have hit a snag or are at an impasse.

· This use case may be similar to the last bullet point. However, the CISO may have a better relationship with the CIO and instead works through business stakeholders to ensure cybersecurity risk and appropriate controls are considered in IT projects.

Exerting indirect influence is a slow, long-term objective that you achieve over time – much like smoking a good brisket. One effective method of indirect influence is called trim-tabbing. In the traditional sense, trim tabs are small surfaces connected to the trailing edge of a larger control surface on a boat or aircraft (e.g., a rudder). Small adjustments to the trim tab can affect the path of the boat or the aircraft over a long distance. The same is true of indirect influence. Effecting many small changes over time can lead to significant changes in the long term. Designer Buckminster Fuller is credited with initially using “trim tabs” as a metaphor for leadership and empowerment. In February 1972, Fuller said:

Something hit me very hard once, thinking about what one little man could do. Think of the Queen Mary – the whole ship goes by and then comes the rudder. And there's a tiny thing at the edge of the rudder called a trim tab.

It's a miniature rudder. Just moving the little trim tab builds a low pressure that pulls the rudder around. Takes almost no effort at all. So I said that the little individual can be a trim tab. Society thinks it's going right by you, that it's left you altogether. But if you're doing dynamic things mentally, the fact is that you can just put your foot out like that and the whole big ship of state is going to go.

So I said, call me Trim Tab. 8

Stephen Covey (do you see a theme here?) popularized the notion of trim tabbing in his book The 8th Habit: From Effectiveness to Greatness. Trim-tab leaders take the initiative to influence their “Circle of Influence”9 in small ways that eventually lead to indirectly influencing the organization to achieve the leader's goals. Your “Circle of Influence” is smaller than your “Circle of Concern,” although your job role will often take you outside of your “Circle of Influence.” In other words, focus on things you can control to influence the things that you cannot control.

As cybersecurity leaders, we often have to influence things outside of our control by focusing on things within our control. I once faced a challenge where a business unit leader wanted to use a particular SaaS provider to store and process some of the company's “crown jewels.” This SaaS provider happened to be a startup and not very proven within the market, but the business unit leader was so enamored with some of the promised features that they claimed there was nobody else on the market who could provide a similar service. I initiated a third-party cybersecurity risk assessment of the SaaS provider, per our established practices. Since my company would be sharing some of its most confidential and valuable information, the SaaS provider landed in our “high risk” bucket, so they received our most comprehensive set of questions. They were unable to answer almost all of the questions. For instance, when asked about data encryption at rest and transit, along with access controls, they replied, “AWS has a SOC2 and handles that.” That is not a satisfactory answer (Google “AWS Shared Responsibility Model” if you don't understand why).

The business unit leader insisted we proceed with the implementation due to various business drivers. I could not directly influence the business leader's desire, nor could I change the business drivers; however, I was responsible for identifying cyber risks to the organization. What I could do was leverage the personal, social, and structural motivations of the Six Sources of Influence that we outlined in Chapter 3 – Business Decisions to influence the situation. I elevated the risk to the enterprise risk management team and objectively outlined the likelihood for significant lost revenue and market share. After considering my analysis, they asked the business unit lead if the new features were so revolutionary and transformative that he could not find another workaround with similar benefits (Harness Peer Pressure – social). They then asked if he would bet his job on that decision (Make the Undesirable Desirable – personal). The answer was a reluctant “no” (Design Rewards and Demand Accountability – structural). Funny how that worked once the leader had to stick his own neck out on the line.

Trim-tab leaders use vision, discipline, passion, principles, and action to grow their “Circle of Influence” regardless of their formal job title, but make sure to pick your battles. Taking initiative that is far beyond your “Circle of Influence” may backfire on you.

Managing Through Conflict

The very nature of our jobs requires us to be able to manage conflict effectively. Conflict may come in the form of varied opinions or in the form of working with a business unit to implement a new security control (as was in the case of our development manager from Chapter 8 – Communication – You Do It Every Day (or Do You?)).

At its core, managing through conflict is just another form of negotiating. As you know, we will cover the topic in Chapter 12 – Negotiations. Nonetheless, I have used the following basic negotiating framework, adapted from Getting to Yes,10 to handle some pretty sticky situations:

· Don't make it personal

· Focus on cause, not effect

· Generate options

· Be objective

Don't Make It Personal

We have all worked with big personalities, some more likable than others. Part of growing as a leader is delivering results despite the circumstances. Sometimes you have to work with people you don't like. The key is to remove the roadblock by counteracting difficult personalities. Conflict is very personal, so making it impersonal is the first step toward resolving conflict.

Human nature compels us to become personally involved in conflict and take a side. When someone challenges our view or position, we may instinctually perceive that challenge as a personal attack. This doesn't have to be the case. The key is to remove the people variable from the problem. Doing so allows individuals to take a step back, be objective, and discuss issues in a safe environment without the fear of losing face or damaging a relationship.

There are three fundamental obstacles to separating people from the problem, namely perception, emotion, and communication. Most conflicts arise because of different interpretations of the facts. You must extend the other party a benefit of the doubt. For example, if the sales team pushes back on multifactor authentication for the CRM system, consider that it is because multifactor authentication creates control friction in the sales process. They are trying to quickly look up a customer record, on the road, with limited connectivity, before a critical meeting. It's not because they are merely reluctant to change.

The second obstacle is emotion. Understanding the other party's viewpoint and demonstrating empathy is crucial. People may react with emotion when they feel their position or character is being challenged (hence, don't take it personally). Dismissing emotions as unreasonable will exacerbate the conflict. Once you acknowledge the other party's emotion, then you can begin to shrink your differences and resolve the conflict.

The third obstacle is communication, and we dedicated an entire chapter to this topic. Instead of playing point/counterpoint, where you anticipate your response while the other party is talking, employ active listening. Give the other party your full attention. When you truly understand the other party's version of the facts along with the emotion that accompanies those facts, you can respond. It's best to formulate a counterpoint that legitimately addresses the other party's concerns rather than invalidating your efforts thus far by forcing your perspective into the dialogue. Of course, many of these obstacles will not come up in the first place if you maintain good relationships and view the other individual as a partner and not an adversary.

Focus on Cause, Not Effect

You must understand the difference between interests and positions. The authors of Getting to Yes detail, “Your position is something you have decided upon. Your interests are what caused you to decide.” In other words, there is a cause-and-effect relationship between interests and positions. If you focus on the other person's position (the effect), then someone will win and someone will lose in the conflict; however, if you focus on the other person's interests, you can work to find a “win-win” solution that satisfies everyone's interests (the cause).

Identify the interests at hand by asking why the other person is standing firm on their chosen position. Ask them “straight-up” and be direct about it. Once the interests are determined, you can then identify a commonality. For example, recall the development manager example from Chapter 8 – Communication – You Do it Every Day (or Do You?) where the security manager used the Socratic method to convince the development manager to work together to get security vulnerabilities the same level of priority and visibility as traditional code defects. You can see that the security manager and the development manager both wanted fewer code defects (vulnerabilities in this case), and therefore less rework for everyone involved.

After you have identified everyone's interests, you must explain your interests clearly and summarize the other party's interests to ensure a mutual understanding. Doing so also demonstrates respect. You are paying attention and actively concerned with the other party's interests. If everyone can remain open to a third alternative, you will find an innovative solution that satisfies everyone's needs. It is likely to be a new solution that neither party envisioned when you started.

Generate Options

Now, you must develop your options and alternative solutions. Brainstorm and ensure everything is out on the table no matter how outlandish the suggestion or solution may seem. Recall the School of Thought Creative Thinking Cards Deck mentioned in Chapter 5 – Articulating the Business Case. Avoid a “win-lose” scenario because that will derail your conversations and escalate the conflict. Individuals may suggest partial solutions to the problem as a bridge to implementing a more in-depth solution. You should only begin to evaluate suggestions after many suggestions have been made. Considering each idea as it is proposed can be counterproductive. Starting with the most promising suggestions allows you to iteratively refine alternatives until everyone is satisfied. Any low-hanging fruit (low effort/high value) is a great place to start. Early progress builds momentum and promotes goodwill.

Be Objective

What criteria will you use to resolve the conflict? All parties should agree on objective criteria that removes emotion and ego. Doing so not only allows you to move forward with a solution to resolve the conflict, but it minimizes animosity and preserves your relationships with the other parties moving forward. You can also involve the other party in defining the procedure for resolving the conflict. For instance, if you are implementing a significant security initiative, such as identity and access management (IAM), the cybersecurity team may define the required security controls. Then, you can engage the individual business units to develop their procedures to meet the security controls while minimizing disruption and friction to existing business processes.

Consider the following points when developing objective criteria:

· All parties in the conflict should be involved in defining the objective search criteria.

· Understand everyone's interests and use their reasoning to support your interests.

· All parties must keep an open mind and be willing to evaluate alternative solutions.

· Do not allow yourself to be bullied and give in to pressure or threats.

Professional Networking

Research shows that 70% of all jobs are not published publicly on job sites, and as much as 80% of jobs are filled through personal and professional connections.11 Networking with humans (instead of computers) is a skill that many cybersecurity professionals struggle to develop. The traits that allow us to focus on solving a challenge, almost to the point of obsession, are some of the same traits that preclude our looking up from our laptops and interacting with others. Networking with peers external to your organization helps accelerate your growth as a cybersecurity leader through exposure to new ideas.

Frankly, many of us are introverts. To this day, I loathe the idea of showing up to an event where I do not know anyone and “working the room,” but networking has easily had the largest return on investment in my professional career. Networking has benefits inside and outside of your organization. The good news is that there are plenty of opportunities to network with other peers in our industry. There are industry conferences like RSA, Blackhat, Defcon, and the Rocky Mountain Information Security Conference. There are also local chapters of the International Information Systems Security Association (ISSA), the Information Systems Audit and Control Association (ISACA), the Cloud Security Alliance (CSA), and the Open Web Application Security Project (OWASP). Then, there are vendor-sponsored events and dozens, if not hundreds, of meetup groups and online discussion forums for just about any topic where you can join and contribute. The opportunities to network with your peers are plentiful. You need to take the initiative and do it.

So, how do you go about networking when all you want to do is huddle in a corner? First of all, you have to accept you are going to be uncomfortable. Secondly, realize that the key to successful networking is not to promote yourself and exploit the connection for personal gain but to add value wherever you can to help others succeed. I have used the advice of Dale Carnegie and Keith Ferrazzi, authors of How to Win Friends and Influence People and Never Eat Alone, respectively, to help develop my networking skills.

Many of the events mentioned above can be a test bed to hone your skills. Let's dig in on Keith and Dale's perspectives on networking. You will notice some commonalities across both author's viewpoints. These can also serve as “Key Activities” for you to consider as you go about networking.

In How to Win Friends and Influence People in the Digital Age, Dale Carnegie and Associates takes the concepts from Dale Carnegie's How to Win Friends and Influence People, published in 1936, and applies them to today's digital age. The book outlines six key activities that ensure you leave a lasting impression with your connections and interactions:12

· Take an interest in others' interests: People tend to align and gravitate toward others who share their self-interests. Because of social media's proliferation, it is effortless (and lazy) to engage behind a keyboard. However, the real value comes when you invest time to know people and their challenges or interests personally. That's the only way to lay the foundation for mutual benefit, which also develops indirect influence. Who would have thunk it?

· Smile: In Chapter 8 – Communication – You Do it Every Day (or Do You?), we discussed the power of a simple smile. In the digital age, your spoken and written voice and tone translate into a digital smile.

· Reign with Names: Your name is your brand. You cannot know someone unless you know their name. When you know someone, you have a relationship, and relationships are your most valuable currency when building your network. To this day, I am terrible with names. Four tips that I use that Carnegie provides for remembering names are:

· Spell it

· Create a mental image of the person

· Say it multiple times

· Write it down and look at it Doing the above helps form the links and associations in your mind that allow for fast recall.

· Listen Longer: Think about how frustrated you get when you feel you are not heard. By nature, people desire to be heard and need to know someone is listening. Active listening (Chapter 8 – Communication – You Do it Every Day (or Do You?)) builds strong connections and trust and allows you to leave a lasting impression. Put the damn phone down (again), cut out the distractions from the environment or the event, and focus. Treat the conversation you are engaging in as the most important thing in the universe at that time and pay full attention to what the other has to say.

· Discuss what matters to them: This ties to the above point, “Listen Longer.” Listening will breed an understanding of what matters to the other person, and it will allow you to focus on what matters to them. Remember, when building your network, it's not about you…it's about “them”!

· Leave others a little better: Add value. Volunteer information and skills. For instance, if the person you are speaking with expresses frustration around building a business case for a particular initiative, and you happen to be good at building business cases, volunteer to review their business case for them. As you nurture the relationship and the relationship becomes more friendly, if the other person needs help moving, get off your butt and help them move! Psychologists say that a “law of reciprocity” states that people have a deep-rooted psychological need to return favors. By doing something nice for someone, they are very likely to do something nice for you in return.

In Never Eat Alone, author Kevin Ferrazzi advocates that building your personal brand and network should be your way of life. Ferrazzi leveraged his relationships to become the Chief Marketing Offer (CMO) at Deloitte & Touche Consulting, the youngest-ever CMO at Starwood Hotel & Resorts, and the CEO at Yaya Media. Finally, he started his own company, Ferrazzi Greenlight.

Many points and tips are outlined throughout the book, but I want to distill the attributes and strategies that resonated with me, and that provided the greatest value.13

· Don't keep score: Generosity and loyalty are foundational to good networking. This point is analogous to Carnegie's “Leave others a little better.” Networking and building relationships is a two-way street. ALWAYS ask how you can help. You give, and you receive, which lays the groundwork later for the “law of reciprocity.”

· Build your network before you need it: Building relationships is a long-term endeavor. Sorry – there is no Tinder for professional networking. You cannot just swipe left or swipe right. It will be too late to start building a network when you need it. My success as a consultant is 100% attributed to the network that I cultivated over twenty-five years.

· Do your homework: Always, always, always prepare for a meeting. If you are targeting networking with a particular person, do some research on the person. Your preparation allows you to focus on touchpoints that you know will pique the individual's interest (Carnegie's “Discuss what matters to them”). You may even start to covertly provide value by sharing insights the other person may not have considered. If you are going to a general networking event, do your homework on the type of people who may be attracted to the event and formulate a small-talk track in your head based on the different personas you may encounter.

· Be a conference commando: The most significant value of going to conferences is not in going to all of the talks and sessions. The most significant value lies in the hallway conversations, or as we have coined it in our industry, “HallwayCon” or “LobbyCon.” Get introduced, or introduce yourself, to like minded people and set up follow-up discussions after the conference. LinkedIn has made connecting, following up, and engaging post-conference extremely easy.

· Be visible: It is easy to fill our calendars with every event on the planet, including happy hours, dinners, sporting events, and conferences. When I was leading a cybersecurity program, I could go to a vendor-sponsored event every night, which is not sustainable and would have made for a very disgruntled wife. Be clear about the value you hope to extract from the events you attend.

· Follow-up: The money is always in the follow-up. Remember, your currency (money) is your relationships.

· Leverage super-connectors: We all know that one person who seems to know everyone. Furthermore, in our field of cybersecurity, it seems that everyone is separated by two degrees of separation rather than the generally accepted six-degrees. Super-connectors have a Rolodex of thousands of contacts upon which they could call, and the other end of the call answers. Make friends with these people.

Application

Let's dive into a couple of case studies of how the contents of this chapter has saved my bacon at a couple of points in my career.

Case Study 1 – Humility for Trust's Sake

Sometimes, eating good old-fashioned humble pie actually instills trust. That's right. Own up to your mistakes, admit them as soon as possible, explain why you made the decision you did, and follow up with a plan to correct the error. I speak from experience. When I was working for a federal contractor and running a combined security and network operations center (SNOC) for a US federal government entity, my operations and maintenance team had the responsibility for upgrading the enterprise IT ticketing system over the course of a night. This ticketing system was the backbone for IT support across the organization globally, and it was, shall we say, a very visible upgrade and politically charged. Without it, about 24,000 users across over 125 global field offices could not report IT issues, not receive IT support. I should also mention that our contract was expiring and was coming up for a recompete as mandated by the federal contract, and the success of this upgrade would go a long way to solidify our position as the incumbent.

I got a call at about 11 p.m. that the upgrade was going sideways. After hanging up, I called my boss to inform him of the status to inform the customer (the federal government agency), and then I hopped in the car and drove to the SNOC since I lived only 15 minutes away.

After getting to the SNOC, the system administrators executing the upgrade convinced me that it was better and more time effective if they proceeded to troubleshoot the upgrade versus restoring from a backup since they believed they had narrowed down the issue. Our rules, our playbook, and our approval from the change board all said that if the upgrade was not complete in a specific timeframe, we would roll back the upgrade and restore from backup, but in this case, I let the system administrators sway my decision. One more hour turned to two more hours, and two more hours turned to three more hours. By about 4 a.m., I finally put my foot down and forced a rollback, much to the chagrin of the system administrators who had been troubleshooting the issue all night and were convinced they had almost solved the problem.

Daylight came, and the phones started blowing up. The customer was irate, and they had every right to be. I proactively called my government stakeholders to let them know what had happened. What could have been a 4-hour rollback turned into a 12-hour marathon. Jobs, including my own, were potentially on the line. I could have made excuses, or I could have taken responsibility. I took full responsibility. They appreciated me explaining why I made the decisions that I did and why I believed they were the best decisions based on the information I had. I had to weigh blowing a change window with the risk of corrupting an installation and data by rolling back the upgrade, but the federal government places a lot of weight on processes, and I didn't follow their process. I understood that, and owning up to that mistake was not only the right thing to do, but in my mind, it was the only thing to do.

I didn't leave the office until after I personally wrote the after-action report. I reviewed all after-action reports from the SNOC before submitting them to the government client, but I rarely wrote them myself. I held myself responsible in the root cause analysis. Unbelievably to me at the time, instead of mandating that I be removed from the contract, which would have likely cost me my job, the government client changed some change management rules due to the after-action report to give the SNOC more decision-making authority during these types of outage windows so that we could troubleshoot more during these types of change windows. At the risk of creating an oxymoron and bragging about how humble I was, the humility I exhibited immediately after that event rewarded the SNOC with more trust, not less.

Case Study 2 – Professional Networking

For many of us, our networks begin in college. Many of us can even go as far back as junior high and high school. For instance, my website's latest iteration was developed mainly by a friend I have known since high school. I first learned the real value of networking in college during my first internship. I was an intern at the Bellagio Hotel in Las Vegas, Nevada, before the resort opened. We developed “Leader's Guides,” which were “train the trainer” materials used before and after the resort's opening. The nature of our work required that we talk to various department heads about their jobs and critical challenges (discuss what matters to them) and then distill their input into a work product that they would use to train new employees as they on-boarded. These Leader's Guides offloaded some of the already tremendous workload and pressure that comes with opening a billion-dollar resort. An added benefit was that some department heads could use the amount of work and training documented in these Leader's Guides to justify additional resources (leave others a little better). The relationships I built as a mere intern with senior director and vice president level roles led to references that spring-boarded my career.

Now, let us fast-forward almost 25 years. I was hired by an energy company to build its cybersecurity program from the ground up, which included traditional IT and Operational Technology (OT). My professional goals were aligned with the organization's goals. I wanted to build and lead the cybersecurity program of an organization whose mission was vital to our nation's critical infrastructure. I was happy and proud of the work we were doing. Then, one July morning I woke up to a text message from a former MBA classmate asking, “Did you guys just get acquired?” He lived two time zones ahead of me and saw the press release via the Wall Street Journal. I jumped up, looked at the email on my phone, and replied, “Holy shit – I need to get back to you.”

From that point, I was fortunate enough to go on an incredible journey leading security and technology integration efforts between the two companies. I was very proud of the work we had accomplished. Two years later, it became apparent that the acquiring company's corporate headquarters was absorbing more and more of my job function. I was not willing to relocate. In truth, I was also slightly burned out. The previous two years had been a sprint. At the same time, the prospect of job hunting was nauseating. After consulting my wife, I realized that it was a perfect time to start my own business. There were plenty of risks, including the risk of not winning enough business, on a continuing basis, that would lead to me scrambling to dive back into that nausea-causing job hunt without the cushion of an existing paycheck. Together, we decided that while the financial risks were high, the mental health risks of burnout were higher and that launching a consulting business was still the best thing to do. We also decided that it was prudent to slowly build up business. Once the value proposition and business volume reached critical mass I could transition into full-time consulting.

Over the next six months, I reached out to the vast majority of my network to let them know of my plans. I asked for advice and referrals, which led to many one-on-one conversations. The energy company I served was aware of my consulting aspirations, and my boss was very supportive. In the end, the new integrated security team reorganized and eliminated my position before I was ready to exit. It was the perfect incentive, sink or swim. My last day with the company was on a Thursday, and thanks to my fantastic network, I started billing my first full-time client the following Monday.

My network took 25 years to build and 6 months to prime before I was ready to thrive on my own. At the time of this writing, the vast majority of my work as a consultant has come through referrals. Do not wait to start building and nurturing your professional relationships. Done right, your network will be there when you need them the most.

Key Insights

· Follow a simple five-step process to establish and build trust:

· Say what you do and do what you say: Keeping promises is a key factor in establishing and maintaining trust. As a leader, how can you expect your employees to get behind you and the organizational mission if your communication and actions are not aligned? Your words and actions must match. Failing to do so will lead to people not trusting you.

· Be authentic and congruent: Authenticity lends to congruency. If you have any level of emotional intelligence, you can usually tell quickly when someone is authentic or not. Sometimes, people contradict themselves and show their inauthenticity. Other times, it's a gut feeling that indicates to you that someone is inauthentic, like when you are buying a new car, and the salesperson is your “best friend” the second you walk onto the car lot.

· Be transparent: Make sure your employees remain informed of key developments and why the organization made certain decisions. Ensure expectations are clear and that every employee has a chance to provide feedback on those expectations. However, be mindful of when sharing too much information, or sharing it at an inappropriate time, can lead to confusion and distrust.

· Shut the hell up and listen: When you say you have an open-door policy, have an open-door policy. Don't sit there and wonder why your employees do not open up to you about their concerns during a project, a major company initiative, or even their career growth plan, when you regularly dismiss their concerns or avoid their feedback altogether. Furthermore, don't interrupt! Our parents teach us not to interrupt from childhood, yet we are all still guilty of this. I am particularly guilty of this when I have a point I want to get out before the thought leaves my feeble mind. However, interrupting is rude and implies that what you have to say is more important than what the other person has to say. Nothing instills trust with someone, like suggesting what they have to say doesn't matter, right? Stay present in the conversation. That email or text that comes through during the conversation can wait. Nothing says, “Don't trust me because I don't care about what you are saying,” like not paying attention to someone when they are speaking to you.

· Be humble: Surrounding myself with people who are smarter than me reminds me that my stuff really does stink. Every day, I remind myself how lucky I am to have a successful consulting business that has grown mainly through referrals. I am thankful that I am in a position every day to learn from people and teach. Remember that it is okay to admit mistakes. It's okay to utter the words “I was wrong.” Doing so as soon as possible, being candid as to why you made a particular decision, and having a plan of action to rectify the mistake go a long way in building trust.

· Create indirect influence:

· Establish indirect influence through “trim-tabbing”: Small nudges will have huge effects over time.

· Understand the “big picture” direction and destination: What are your goals? Are they aligned to the organization's goals? Do you understand what is in and out of your “Circle of Influence” and what factors determine your “Circle of Influence”? Can you trim-tab through changing organizational dynamics?

· Listen more, speak less: Review Chapter 8 – Communication – You Do it Every Day (or Do You?).

· Get people to like you: Say “please” and “thank you” a lot. Lift up your co-workers. Speak well of people and don't speak negatively about people behind their back (like the development manager from Chapter 8 – Communication – You Do it Every Day (or Do You?). Show genuine interest in how your colleagues are doing, or how they spent their weekend. Don't fake it. People will see right through it.

· Be supportive: Volunteer to help someone prepare for a presentation. Get “in the weeds” with your team when troubleshooting an issue. Share knowledge. Allow a stressed colleague to talk to you to vent.

· Bribe: Yes, I said that. Coffee, donuts, pizza, and beer (when appropriate) go a very long way.

· Remember these keys to managing through conflict:

· Don't make it personal: There are three fundamental obstacles to separating people from the problem, namely perception, emotion, and communication. Most conflicts arise because of different interpretations of the facts. You must extend the other party a benefit of the doubt.

· Focus on cause, not effect: Interests are the cause. Positions are the effect.

· Generate options: At the risk of sounding like a cliche, focus on “win-win” scenarios even though “win-lose” scenarios may seem rewarding.

· Be objective: Agree on objective criteria to resolve the conflict. All parties in the conflict need to be involved in determining this criteria.

· Cultivate your professional network:

· Get comfortable: They key to networking is to get comfortable with being uncomfortable, particularly if you are an introvert.

· It's not about you: Do not promote yourself and exploit the connection for personal gain, but add value to where you can without any expectation of “quid-pro-quo.”

· Do your homework and remember names: Always prepare for meetings. How can you expect others to remember positively when you show up “winging it” and you when you can't remember their name?

· Build your network before you need it: Don't wait. Start now.

· Get out there: Participate in “HallwayCons,” and be focused on the types of events you want to attend.

· Follow-up: The money is always in the follow-up. Remember, your currency (money) is your relationships.

· Super-connect: Find the super-connectors in your network and get introduced to them. Then, figure out how you can help them.

Notes

1. 1 Covey, S.M.R., The SPEED of Trust: The One Thing That Changes Everything, Free Press, 2018.

2. 2 Covey, S.M.R., The SPEED of Trust: The One Thing That Changes Everything.

3. 3 Davis, K., “Jim Collins on Creative Discipline, Paranoia and Other Marks of a Great Leader,” 2012. Accessed January 30, 2021. https://www.entrepreneur.com/article/224568.

4. 4 “Humility,” Merriam-Webster. Accessed January 30, 2021. https://www.merriam-webster.com/dictionary/humility.

5. 5 Willink, J., and Babin L, The Dichotomy of Leadership: Balancing the Challenges of Extreme Ownership to Lead and Win, St. Martin's Press, 2018.

6. 6 Barnes, B.K., Exercising Influence: A Guide for Making Things Happen at Work, at Home, and in Your Community, John Wiley & Sons, 2015.

7. 7 Barnes, B.K., Exercising Influence: A Guide for Making Things Happen at Work, at Home, and in Your Community.

8. 8 “Playboy Interview: R. Buckminster Fuller – Candid Conversations,” Playboy, February 1972.

9. 9 Covey, S.M.R., The 8th Habit: From Effectiveness to Greatness, Free Press, 2004.

10. 10 Fisher, R., and Ury, W., Getting to Yes: Negotiating Agreement Without Giving In, 2nd ed., Penguin Group (USA) Inc., 1991.

11. 11 Freeland Fisher, J., “How to Get a Job Often Comes Down to One Elite Personal Asset,” Accessed February 4, 2021. https://www.cnbc.com/2019/12/27/how-to-get-a-job-often-comes-down-to-one-elite-personal-asset.html.

12. 12 Dale Carnegie and Associates, and Cole, B., How to Win Friends & Influence People in the Digital Age, Simon & Schuster Paperbacks, 2011.

13. 13 Farazzi, K., and Raz, T., Never Eat Alone: Expanded and Updated – And Other Secrets to Success, One Relationship at a Time, Currency, 2014.

If you find an error or have any questions, please email us at admin@erenow.org. Thank you!