Positioning the Security Team Using Influence Part 2

Sunday, April 22, 2012

Steven Fox, CISSP, QSA


In my first post on styles of influence, I discussed rationalizing – a style characterized by a logical perspective that does not account for emotional or political considerations.

Its utility is limited to circumstances were quantifiable and verifiable metrics dominate the decision-making process.

Unfortunately, the analysis of information security risk is handicapped by a lack of actuarial data to strengthen a rational analysis.

Our exploration into influence continues by examining a style that leverages the perceived power of organizational policies, standards, and best practices to support an argument.


In their article, When Your Influence Is Ineffective, Chris Musselwhite and Tammie Plouffe describe the assertive individual as relying on company policies, rules, authority, and self-confidence to influence others. Without awareness and finesse, however, the influencer can be seen as being overbearing or aggressive.

“This can lead to resistance or resentment accompanied by passive aggressive or negative behavior, which can result in compliance when the influencer really needs commitment.”

Security engineers, analysts, and auditors are apt to use security policies or industry best practices as the foundation of their guidance rather than addressing business needs. While valid in its substance, these appeals to authority are perceived negatively, as they rarely take into account the business drivers that motivate initiatives.

Security professionals forget that the business will rarely tolerate a security policy that hinders business. Unless it is coupled with a State or Federal mandate, policy is often set aside for competitive advantage.

Many of my clients have granted policy waivers to executives and suppliers in order to facilitate business. Any attempt to impose contrary governance ended up on a report that reflected the concerns of the security team. End of story.

Success Tip

Policy alone is not enough to deter business decisions that open the business to attack. Assertive professionals should connect security investments to business priorities when trying to influence decision makers.

Security professionals should also be aware of the political interpretation of any policies they choose to enforce. It is important that this style be used with peers or with reports, and not advised for use when influencing upwards or working with collaborative groups.

Next week we will explore a style associated with diplomacy and compromise – negotiating. While useful in resolving conflicts and finding new solutions to problems, this style can also be abused to benefit a particular party.

Stay tuned to the @McAfeeBusiness for more tips and case studies highlighting the fusions of information security and business.  

Cross-posted from the McAfee Security Connected blog 

Possibly Related Articles:
Information Security
Policy Enterprise Security Management Security Awareness Best Practices Leadership Information Security Infosec Enterprise Risk Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.