The board room of a company. (Delmaine Donson/Getty Images)

The CIO gave Charlie a heads up: explain how the company was prepared to handle ransomware at the executive meeting next week. Already near the top of his list to work on, Charlie dropped everything to make sure he was ready. This was an opportunity.

After a few days of checking research notes and going through assessments, Charlie decided to press for multifactor authentication (MFA) for everyone. He put together the headlines, cited the studies, and built a slide deck explaining how it worked and why they needed it.

It really clicked for Charlie when he connected a minor phishing incident that almost cost the company a million dollars to the need for MFA. Amped up, he walked into the executive suite, ready to dazzle them with the answer and the plan.

They met his passionate and detailed presentation with… silence.

No one pushed back, and no one asked a question. Charlie offered them an obvious solution and all he got was a simple thanks before they moved on to the next topic and he left the room. He didn’t even have time to ask about next steps.

Charlie called me, crushed. What had just happened?

(Note: this is a true story, but with a different name and details changed in the interest of privacy and security.)

Unchecked frustration creates friction

Security leaders experience frustration like this all the time, partly because security is hard and complex. Business leaders know they need it, but don’t quite understand what that means.

Whether we’re trying to explain why we need to invest more in new firewalls (but we already bought firewalls), or need to assess the risk of our third parties (while the business is pressing for an exemption so they can get going), we are constantly under pressure to come up with solutions to endless problems.

Sometimes we get excited, because it just feels so obvious.

But it's not. We get ignored or people push back on what we view as the clear solution to their problem. We end up leaving meetings with no direction and what seemed easy goes nowhere. We wasted a lot of work and still people don’t seem to get it.

All we needed was for a few people to do what we asked. To trust us.

Instead, we get friction that erodes value, destroys trust, and burns people out. As friction builds, projects slow (sound familiar?) and grind to a halt. As a result, everything gets more complex, takes longer, and costs more.

But you don’t have time for this. You’re passionate. You want to see the change happen.

Ah. There it is: We’re proposing change.

Our passion for immediate change sparks resistance

Change is hard, even for the right reasons.

We change when the current situation is more painful than the perceived discomfort of changing. Often, the perception of the discomfort is worse than reality.

Two years of a global pandemic create a lot of anxiety and discomfort. A lot of folks just want to get back to something that feels familiar with less discomfort.

We meet them with a passionate plea to change more, faster.

We all hope our passion is contagious; but often it can leave people uncomfortable, preferring to linger comfortably in the current situation.

Your passion is a signal

So what next? Show someone else why the passion is worth the change. For example, make zero trust seem less negative and more appealing. Explain what it means to them. They need to understand security in their own context.

Start by thinking about your experience and the answer to these three questions:

  • What problem were you trying to solve?
  • What gets you excited about the solution (what can you do as a result)?
  • What was your “aha! moment” that put it all into perspective?

Reminding people of the problem and the value of a solution starts an important dialogue. Let them know what connected the dots for you, and maybe you’ll do the same for themselves.

Ease change, give people a map

Connect the dots for folks by giving them a map: A current situation, a destination, and a path to get there. They can fill in the gaps by contributing their experience and insights. The key is connecting the solution to something they care about. Take away the mystery, connect the abstract plan to reality, and give folks a chance to process, ask questions, and see their role in the journey.

And this is where the technologist needs to go beyond technology. Engage people at an emotional level with empathy. Listen to their concerns and explore solutions together. Use what you learn to make it easier for people to embrace the change to ease the journey.

So what happened with Charlie? A few weeks after the meeting, the CIO decided MFA was a priority and tasked Charlie and team to make it happen. Now it’s another priority project added to their already-too-big list of things to get done.