No matter the years of experience in cybersecurity, we’re often in situations where crucial details are missing. Yet, we often hesitate to ask questions because we don't want to appear ignorant or don't know what to ask.
In parts 1 and 2 of this three-part series, we looked at how to use questions to succeed with security projects within the context of discovery and planning activities.
In the final part, we’ll look at questions pertaining to persuasion activities in cybersecurity and also review several examples.
In cybersecurity, persuasion activities include efforts to get buy-in from stakeholders in the security program, justify security budget requests, and advocate your perspective on managing risk. Let’s explore an approach to asking questions that bolsters such efforts.
Encouraging Empathy
Conflicts sometimes arise due to the parties’ difficulties in seeing each other’s perspectives. Security professionals run into this issue when pushing back on a risky request or proposal. The other person might not appreciate our disagreement, because they look at the issue from a different point of view.
The wording of a question can either create a rift or bring people together. For example, how might you turn the following statement into a question that encourages the other person to see your point of view?
I cannot approve this security request.
To be persuasive, try to get the other person to understand your perspective. One way to do this is to turn a rejection statement into a question like this:
How can I approve your request while staying consistent with our approach to risk management?
By starting the question with, “How can I,” you’re implying that you cannot agree to the request while making it more likely that the other person will try looking at the issue from your point of view.
Christopher Voss, an experienced negotiator, calls this tactic “forced empathy.” He points out that, “‘How am I supposed to do that?” is one of his favorite ways to say “no,” explaining that such “how” questions must be tailored to the circumstances to be effective.
Justifying Budget Requests
One of the situations where security leaders exercise their persuasion skills is budgeting. The organization doesn’t always fund the security initiatives you might deem necessary.
For example, you might want to ask:
Why was my request for funding the penetration test rejected?
For a more effective approach to pushing back on such a rejection and exploring whether it can be reversed, associate security funding requests with the organization’s business goal.
With this in mind, you can adjust the question to say:
Our need for the penetration test was driven directly by customers’ requirements. How will we meet their expectations without the pen test?
The strengthened question not only reminds the other person of a shared business objective (address customers’ requirements), but also encourages empathy (“how will we”).
Threats and vulnerabilities are important and belong in your communications when appropriate. However, to connect with colleagues outside of security or IT, include a business-centric perspective in your questions.
“Yes” vs. “No”
When seeking approval we ask questions in the hopes of hearing “yes” as the answer. However, people are often guarded with “yes” answers. Perhaps more importantly, sometimes “yes” doesn’t signal true buy-in, but might indicate that the person wants to avoid a debate and is unwilling to reject your idea right now.
Negotiations expert Chris Voss points out that rephrasing your question so that the desired answer is “no,” instead of a “yes” can yield better results. For example, consider the following question:
Are you OK with the latest revision to this security policy?
If you hear a “yes,” will you know whether the answer indicates a real commitment or whether it’s an attempt to avoid disagreement? Try rephrasing the question like this:
Do you have any concerns with the security policy before I finalize its revision?
Or consider this no-oriented alternative:
I revised the security policy. Do you think the change is too impractical?
In these cases, “no” would indicate agreement. If, however, you get a “yes” answer, you’ll be able to ask follow-up questions to understand the person’s concerns and look for ways to address them.
Takeaways for Persuasion Questions
As you reflect on the ways in which you can ask questions that support your persuasion activities in cybersecurity, keep the following in mind:
- Phrase questions in a way that causes the other person to think about the situation from your perspective.
- Align your questions to shared objectives, which often means linking your security goals to business goals.
- Think about no-oriented phasing of your question to make it easier for the other party to agree with you.
Watch the recording of my recent RSA Conference session on "How You Can Ask the Right Questions to Succeed."