Ditch the Pitch and Start a Conversation

image source: sportsnetworker.com/
Whether you are in sales, an information security consultant, or a full-time cybersecurity employee, sometimes the hardest part about advancing your goals is to get in a room and have a real discussion. There are big differences between a pitch or presentation and a conversation, and they go far beyond structure.
Presentations are naturally one-sided, no matter how practiced or comprehensive they become. They automatically trigger that same defensive barrier that erects itself during television commercials or other unwelcome advertisements. The last thing you want in a vendor presentation is for the potential customer to wish they could fast-forward through your pitch to get back to what they really care about.
Instead, take advantage of the time you have been allotted to get a better understanding of your audience’s pain points, concerns, and requirements. If they want to talk, let them talk. If they don’t want to talk, ask open-ended questions and make them talk. What could their day do without? What is keeping them from being more productive or successful? What are they losing sleep about? If you don’t ask the questions, you’ll never be able to provide a meaningful answer.
What happens if they don’t immediately point out their technical requirements or problems?

  • Depending on who your audience is, their concerns might be centered on business risks or fear of the unexpected. Instead of using all your time to rehearse and talk about your idea or solution, maybe you should be focused on translating cybersecurity risk to business risk (hint: one equals the other). This is a concept that was embarrassingly simplified in a recent episode of Startup SecurityWeekly. When unexpected impacts to the business are mentioned, the topic can be easily shifted to monitoring/detection tools and methodologies or incident response.

Side note: If you are in the information security field and you are not listening to or watching the Security Weekly shows (http://securityweekly.com), you’re doing it wrong.

  • If their pain point is having too many pointless meetings or vendor presentations, that means their requirements aren’t being met in some way. Let them explain their heartaches, sympathize with them, and then help them think of some potential solutions. All you have to do at this stage is make sure your ideal solution is a better fit than all the others. For neat tips on creating traps and barriers for competitors, I suggest reading the Maverick Selling Method, by Brian Burns.

Finally, use your pitch deck as a set of backup slides. When you talk to your slides instead of your audience, the conversation is one-sided and you are being inadvertently presumptuous (as evidenced by your pre-crafted presentation). The quickest way to shut someone down is to tell them what they are thinking. You can still use your deck with its graphics, statistics, and tag lines, but you don’t have to use it to drive the conversation. Instead, you can actually use your slides as authoritative references for the dialog and flip through them deliberately. If interesting graphics catch the eye and create more questions or speaking opportunities, even better.

Thanks for taking the time to read this attempt to get people to stop pitching and start talking. If any of this resonated with you, please share it with your friends and colleagues. I also encourage you to take full advantage of the comments section and other contact methods highlighted below. I love reading about tips and tricks for success that others have found.
Steve Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.

Replacing Leadership: A Disturbing Trend in Information Security and Business

image source: jainoncor.com

Originally published at The Cybersecurity Place

For some time, a discussion about advancing technology and its impact on the human workforce has centered on topics like the loss of manufacturing jobs due to improved machinery or the decreased need for cashiers after the implementation of self-checkout systems. Frederick Taylor had something to do with this, when he traveled the world during the Progressive Era showing manufacturing companies that there was “one best way” to conduct and manage business processes in the most efficient way possible. We started replacing specialized people with unspecialized laborers and technology.
Now fast forward about a century to the information age, more especially to a time where information security is charging toward the forefront of business. If you belong to the information security community, the subject of the insider threat has become commonplace and virtually cliché. For those not familiar with insider threat, it encompasses both users who intentionally present risk to the organization (like Snowden and Manning) and those who mistakenly do so through ignorance or neglect. Instead of investing in the users and their general awareness, organizations are purchasing security tools and other software solutions to keep them from leaking information, clicking on links, plugging in thumb drives, and opening attachments.
At one time, ensuring proper employee behavior was a leadership responsibility.
I make the argument that the only reason insider threat is so scary is because we have stopped developing and promoting leaders. Technical controls, fancy new tools, and user behavior analytics do an excellent job of addressing yesterday’s risks, but only education and leadership are able to respond to the unknown risk today and tomorrow. You wouldn’t see a tool generate an alert that says “there is something strange going on here that I’ve never seen before and I have a bad feeling about it”. That is because technology is only going to accomplish what it is preconfigured to do. Good leadership continuously updates itself, whereas many technical controls and security tools do not. Good leaders adjust their risk threshold dynamically in response to today’s critical missions, while software relies on human interaction at some point to know what to measure against.
A few days ago, I read something on LinkedIn that was something like, “What if we make big investments in our people and they leave?” It went on to say, “What if we don’t and they stay?”
I feel as though the dependence on technology when it comes to information security stems from a history of system administrators that lost all hope in humanity. At around the 17th time you had to go and change the default printer for a user, you looked for a way to automate things in order to save time and take the user out of the equation. The best sysadmins however, learned that if they walked the user through the process for accomplishing each task, it made their customer support role infinitely easier. The only thing that has changed now that there is an increased focus on security is that those system administrators have jumped on the cybersecurity bandwagon and added a new dimension to their contention toward users.
Another potential cause of the need for technical solutions to address leadership problems is the recent economic recession. Large organizations were presented with a need to cut costs wherever possible, and executives had to put an increased focus on management of the key business processes. At that time, leaders were replaced by process managers who were much better at making the business function than influencing people. In that sort of scenario, it might have seemed easier to invest in technology to control and monitor employee behavior than to train their managers to become more effective leaders.
No matter the cause however, the costs can impact more than the organization’s financial statements. They are left with overly complex technical solutions, untrusting employees, and ineffective leaders – all of which go well beyond the obvious information security implications.
Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.

Media, People, and Information Security Awareness

I have Google Alerts configured to send me virtually all articles published about breaches, vulnerabilities, leaks, etc. Each time a security event takes place, I get anywhere between five and thirty articles that range in different levels of detail, research, and sensibility. They almost always have a common outline – the world is ending, someone is at fault, and there is nothing that anyone can do about it. New vulnerabilities are accompanied with a name, logo, its own website, a theme song, and a clothing line.
While information security needs as much awareness as it can get across all user spaces, a problem arises when it only comes dressed as a heavy metal rock ballad with the volume knob set to maximum, and set to repeat. Eventually, our ears adapt to the noise and our brains start to tune it all out. The industry calls this effect “breach fatigue”, and it is very apparent when considering the fact that both Target and Home Depot experienced record sales shortly after their historic security events.
Don’t get me wrong, I fully understand that reporters and journalists have the responsibility to cover stories in a way that will increase readership or viewership, whether they have a functioning understanding of the topic or not.
I have laid out the problem, but what irritates me even more than the headaches I get from some from these titles is the fact that I can’t think of a single viable solution, aside from an overwhelming demand from John (and Jane) Q. Public for the media to produce stories of higher quality. Since people seem to get all their information from Facebook, article titles, and the first page of Google, the expectation that they will come together and levy increased requirements against media outlets for topics that they already do not understand or care about is slim.
If you have any recommendations or comments, please feel free to send them my direction.

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.