Leadership, Vulnerability Management

How to get departments resistant to security controls to say ‘what took you so long?’

Reframing how a security solution will directly address a concern may help convince someone who was resistant to the change, says leadership columnist Michael Santarcangelo. (MBezvodinskikh/iStock via Getty Images)

If people are blocking your effort to install a security control for the business, try changing your approach. It might get them wondering, "What took you so long?"

Here’s how it happened a few years ago when Jeremy (not his real name) from a large corporate security team approached me for help. It embarrassed Jeremy that the team failed to get web filtering installed three separate times over the previous three years. Each time they got ready to roll it out, the powerful research division would raise a fuss, make a bunch of threats, and get the project shut down.

The frustrated security team worried the lack of web filtering increased their risk and they felt stuck trying to get the research division to agree. Jeremy didn’t know what to do.

I agreed with Jeremy that the resistance and resulting response seemed like a misconception.

We needed to get a more complete, more accurate picture of the environment and what was happening. We started by engaging with a handful of technical leaders from the research division to listen to their words as they shared their insight and experience.

The research division agreed to a brief, optional survey for folks to share their concerns and ideas with us.

We designed the survey to take 5- to 10 minutes to answer five multiple-choice questions, followed by three open-ended questions. Because of the support of the research division leaders, we got over 50% participation and several hundred responses.

What we learned is that the research group was technically savvy and risk-adverse. They were concerned about backups and attackers stealing their research. It was clear they trusted security, but feared solutions that blocked progress.

Taking the time to get other perspectives allowed us to pinpoint the perception problem.

Previous attempts to implement web filtering came across as “we do not trust you” so “we need to block bad things from happening.” That naturally creates friction. Researchers immediately conclude whatever the security team is going to do will get in the way.

Our approach changed based on insights from the survey to focus on the concern of attackers’ stealing research. Now, instead of suggesting we didn’t trust the researchers, we supported their concern, explained more details, and offered to implement a solution to help.

We framed the solution as a safety net for the things that slip through on the web.

Then we acknowledged the fear of shutting down research. Instead of just telling people not to worry, we offered them a solution connected to a person. We introduced Jeremy, including his picture, location, email, and phone numbers, as the immediate contact allowed to remove any block for up to 24 hours. We pledged to work through any concerns rapidly, with a focus on keeping research going.

When we asked the technical leaders of the research division if that was OK, their only response was, “what took you so long?”

Out of curiosity, I checked on Jeremy over a few years and no one reached out to have a block removed in that time.

By stepping back to get a more complete picture, we mapped what the security team wanted to what the researchers wanted, too. As a result, we flipped from "hell no" to "what took so long" — and built stronger relationships between security and research team members.

Michael Santarcangelo

Michael Santarcangelo is founder and president of Security Catalyst, where he helps security leaders navigate the shifting business and political climate to build high-performance teams that solve the right problems.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.