He points to two basic rules that can help make conversations more meaningful.
- The conversation is not about you.
- You need to give trust to get trust.
I will leave it you to explore his take on these two tenets from a general conversational perspective. However, it strikes me that if we, as Information Security professionals, would incorporate these rules into our conversations with our respective constituents, we might be met with a little less resistance. Of course, I am speaking from the perspective of being a corporate drone.
Having a conversation with the Information Security dude or dudette is viewed with a certain amount of trepidation by many who are “forced” to deal with us. In my experience, most of this trepidation is caused by us and not the poor supplicant 🙂 Why do you think they feel this way? Let’s look at number 1 above first.
1. The conversation is not about you.
Pretty simple statement. Harder to put into practice than it appears though. Let’s change it a little; the conversation is about them. They are looking, whether they know it or not, for the best method of accomplishing their goal in the most secure manner available that is appropriate for the business risk they have chosen to accept. Which, by the way, is a topic for another post. If we approach things from this perspective, it becomes a collaborative endeavor, not an adversarial one. Of course, I am not suggesting that there will not be times when we are required to tell people they can’t do something in the manner they desire. But as long as we avoid just saying no and try to help them find a way that is also acceptable from an infosec perspective, we have still remained their helper and not their roadblock. If they view us as their helper, they will be less concerned when they need to talk to us. They will involve us earlier and finally will be more likely to share more information with us.
2. You need to give trust to get trust.
This one is even more difficult. Why should they trust you? Do they know you? We have to build relationships with the people we work with. For those of us who work in the corporate world, this is a little easier. I talk to the same folks day after day and we have the opportunity to get to know each other and build trust. I have to trust that they believe I have their best interests at heart and they have to trust that I am not out to “get them” or stop them for being successful. Following rule 1 above goes along way towards building this trust. Those who don’t have the luxury of long term relationships with the folks you are dealing with have to find some way to establish that trust quickly and right at the beginning. Again, approaching it from a rule 1 perspective will help a great deal.
So there is my two cents worth about something that has been a problem in several companies for which I have worked.
I have not done the subject matter justice, but it was on my mind so here it is.