Enterprise Security Leadership: Negotiation Skills for Cyber Leaders
everyone. Welcome to the course. Enterprise Security, leadership in the modern era, I'm a leaf Jackson. I lead the content in community teams here on just so excited to have Dr Dead Amoroso back with us. We, uh we've done this our third session. Right at that, we've done together. So we did the
50 security controls The effect of C cell, which is on our site.
Just a awesome course across security controls. Foresee service
on and tag does an awesome job of doing an annual publication on it as well, which is a great supplementary material for it. So I strongly recommend it.
Uh, you and I, uh, spoke about last year's course, which was 12 competencies of the effect of C. So Andi really rang true with a lot of people on our site and across the industry that soft skills are really beneficial in that
in order to grow as managers, we need to develop those soft skills.
And that's why we're doing this additional course right? Is that we want to extend that course into this next era, adds more soft skills,
starting with general management skills and then growing in tow, specific security, leadership skills,
take it away. Just so excited to have you back. Well, thanks. Leave. Thanks for joining. I know your wife is getting ready to have Ah, baby said that you're doing Yeoman's duty here,
but, uh, I want to welcome everybody. You know,
this this topic of enterprise security leadership I'm not even sure was a topic a few years ago, right? I mean, what I do for a living now, what most of you do for a living
maybe didn't exist 20 years ago. Yeah, it's Ah.
So we're all sort of learning what Leaf and I and the team from Sai Buri and my team, a tag cyber noticed
is that there's this gulf
in education and training for people who believe that they want to be senior managers and leaders in a company in an organisation and government agency,
but also are connected to cybersecurity and maybe are either in the sea so role or a deputy c so or whatever. And there's
there's a lot of generic guidance, but not a lot of guidance on leadership from people
who who do this for a living to do security because there's some very specific issues
that will want to attend to, um, that are not the same if you're in a finance organization and not the same. If you're in sales or marketing,
they relate to cybersecurity. So So we put together this six weeks for people who
are interested in developing some leadership skills but who love cybersecurity and do it and probably right on their tax forms. You know, cybersecurity. That's what I put on when I fill out what I do for a living and pay taxes. I write no chase hackers for a living or something like that.
So if you like that and you also want to learn something about leadership than I hope you'll
stick with us. But as for me personally, I've been actus for like, 40 years. That's not me playing golf there on the right, that somebody with a much better swing than May,
but I grew up in a tech family. My dad was like the second PH. D in computer science ever in the world. So I had a connection to the AARP Annette when I was a little boy growing up in New Jersey
and, um, join Bell Labs while I was leaving graduate school and, you know, spent 31 years. They're doing
security and see. So now I run a company that does that kind of thing we're doing now where we help practitioners help people like yourselves
with cyber. ITT's much a vocation for me as as anything. Leaf and I became friends because I really admired what cyber was doing. I like the fact that it was more than just training a lot of relationship
embedded in there, and they were willing to give me some.
Ah, very wide sort of guard rails on the kinds of things we put together, and this course is one of the results of that. So I hope you enjoy it. I hope you stick with us for the six weeks
we're gonna kind of take you through some of the skills that are necessary. Let me getting tased story.
there is a a position in every single one of your companies or organizations that has the word. Human resource is next to it, and it's probably a direct report position to your the most powerful leader in your company or organization. That's a company that is the CEO
and your CEO has somebody reporting to him or her.
That is, um HR. Lead HR Executive Lee. I can pretty much guarantee that everybody has got that
situation. Um, so let me get back to my story. So HR
if you go back far enough say, the 19 thirties,
there was no such position. It just didn't exist. No such position. A couple of people who were doing badges of company. But there was nobody who,
in a sense, had the HR position. But what happened was World War Two
taught every organization
that that matching people to positions was really important. And if you look on orb charts for companies that existed in both 1930 1940 1950
right after the war, all of a sudden it's position emerged called personnel manager. And it was in the middle of the organization somewhere everybody had one. He read Alfred Sloan's My Years in General Motors. Beautiful book,
boring book, but a good book
about building out General Motors from 1930 1960. He puts ordered charts in there, and it's awesome because there's no personnel function. 1930 personal function, kind of love. It is a name. And then in the fifties sixties and now into the you know, to the present time. That position went from non existent
to a direct report to the CEO in about 50 years.
Now what's happened in cybersecurity is that if you go back to the seventies and eighties, there was no such thing. There's no position.
But then, in kind of the nineties, as hacking started into the thousands, you had this I t security position.
And now, more recently, the I T security positions become a C so But, for example, I've looked at the websites for the Fortune 500
and you will not find Go look and tell me from wrong. But you'll not find a company in the Fortune 500 that has the sea. So in that picture that staged picture for the website that shows all the executives that you put in the, you know, like the annual report, the seasons ever there.
But I suspect that in the next 10 to 20 years, sticking with Cove ID
some kind of a risk slash c so slash security slash you know, chief kind of preparedness position will emerge, and we will say about our position our world
that we went from being non existent to being a direct report to the CEO in every organization. That is the that's Richard directory that we're on.
And that's the backdrop for this course because I want to help you try to understand the kinds of things that you're gonna need to travel through that,
um, that that evolution at the first session for this week
is on negotiation skills
and cybersecurity. Folks, if you're like me, um may have grown up with your face in a computer like I like messing around with computers and hacking and networks and so on and not so much with other people. So it took a little time for me
toe learn to negotiate. I always thought negotiation was just pure logic.
Like if I present this obviously logical argument to you
and I can almost prove it mathematically is correct,
then what are you, some kind of dummy? Don't you get this? And I learned very quickly that that that's not the way it works, and you know the sea. So position, unfortunately, goes into every negotiation with several things that are
already kind of in the loss column. Let me listed up. First off,
when you're ah in the top job security
you're viewed by your CEO is basically being unfit for any other job. I mean, I don't want to be so stark, but it's true.
Go look at the lead security person in any agency or in any government or any organization.
Um, and that's see, So is gonna be viewed as a hired gun
and not not fit Freddie job. If people don't agree, give me an example of a C. So that went from that position. Toe like head of marketing.
It never happens. We're ahead of sales. Are gonna run the Mexican operation or going over here and do finance once in a while. You graduate up into infrastructure cause it's so in. Jason. I remember during my time at A T and T that let me run some of the other pieces in the labs like the Intellectual property team very adjacent.
But, you know, if I'd said I have um interested in running marketing, I think the whole room would have fallen over laughing like what? Are you kidding me?
You know, so that you start with that problem in any negotiation you're seen as somebody who's off the side. The second is the department of no problem that we always are seen in any negotiation
as playing the role of No, you can't do that
when in reality you're going to see that we're not about that. And to be a good executive, you have to understand that the goal here is not to make things the most secure, but rather to advance the mission of the organization that you're associated with. That's the goal, not
security, unless obviously, security is the mission I get. It
is if you work for a cyber security company or something than you. But if you're a bank, the goal is not security. The goal is to be a successful bank and learning that is tough
when your legacy is security. The third is that you're probably viewed is easily replaced. I know that sounds just terrible, but to be a good negotiator, you need to a have a position where you can dig your heels in a little bit,
and if you're seeing if somebody could be swept away, it's hard to negotiate from that kind of position, so we'll talk a little bit about that and related you're just not typically viewed as a threat. And I'm not that you should be a threat,
but there should be some of behind the kinds of things that you believe in. So we're gonna go into some of this and hopefully this will resonate with you. Now I'm gonna be emphasizing during the next of our ah personal negotiating style. And this means that you've got to come at this
based on who you are and not have a lot of coaching over the last few years and have learned that most people on this call,
um, and who are attracted to cybersecurity have one of three personality tendencies. Let me tell you what they are.
The first is what I'm called a technical personality tendency. I mean, you're a techie, but it means you believe that you can get in and fix things, and you understand the tack or your that year. That person who you know, takes the sink apart and fixes it yourself because you don't really need to call anybody.
But you're that person. And when that's applied to tech, everyone on this call knows that that guy or gal on your team who has a technical bed and and can understand that things work doesn't have to go asking me the second is kind of a management or teaming bent. That's where
you're the person who always believes that any problem is solved best when a group of people work on it.
You know, that's a different tendency than the 1st 1 The first person would say,
Oh my gosh, this looks like it was written by a committee. This is a piece of ***. You need one person to do it. That's also that personal ways, you know, pushed everybody aside in the sixth grade and did the project themselves and told the other kids to go play and you did the project. But the second type is the one who believes that
having a group will always make things better,
and it's always better to have a committee and always better a lot of different organizations. I'm not saying that this is how you do it, I'm saying is your tendency and the third is a compliance for justice tendency, meaning that you come at things believing that there's always a sense of justice that things have to be done right.
It's more important to do it right.
And then you know anything else? It has to follow this lady and also to do the right thing, not only do the right thing, but also do it right. I see these tendencies, whatever you are, doesn't matter. But you're negotiating. Style is going to be different depending on who you are. Personally, there's no book you convey by
that says, Hey, go do it this way.
It's who are you for me? Personally, I've always been sort of intell, Odjick and math and me. I'm a professor at Stevens in N Y u I did teach math. So for me, I my tendency is to negotiate based on logic. And I have to develop a style that compensates for that
because I believe that's the weakest negotiating point of all. When you lay out logic, that's ridiculous. Nobody follows logic.
They're gonna follow other things, and we're going to go through them here. So keep that in mind as we go through this,
um, I'm gonna skip right through to the third chart is the the ultimate picture. Let's go through. Ah, model that. I really think you have to memorize, and I'm gonna almost send you off here with not just homework, but something I want you to do is a habit. From now on, before you do any meeting,
you see the sellers Alternative and sellers Settlement Range
like sellers, Worst case sellers, Best case
well and also buyers. Best case buyers. Worse case. Before you go into any negotiation, I don't care what it is. Whether it's a worker at home, you have to think through what your objective is. I'm astounded over my decades of experience how many times people walk into a negotiation
and have no idea what they're trying to accomplish.
They haven't thought through a range. They don't know what's acceptable, that just kind of kind of wing it and listen and figure out on the fly. What sounds reasonable or not like, how many times have you said Hey, let's go into this negotiation. You figure let's let's see how it goes versus
No, let's see how it goes.
You've got to think through in advance, what are you willing to do? And that's called the Settlement range. You have to develop that habit if you're going to be an executive.
It doesn't matter whether it's cyber security or some other function in the organization. If you're an executive, you learn this habit quickly. I sure did. You learn that, You know, you'd better decide ahead of time. What are you gonna be? What's what's acceptable, what's not? Because if you don't
then allow the weird tactics can be used on you.
You know, deadlines were deadlines could be applied. Pressure could be applied.
Power can be applied shock all kinds of crazy tactics that people might use to effect and influence How you, as the security person, are making some sort of decision about something that the organization is asking you to curate so, at any rate. So this
be of determining what you're accepting and not accepting allows you to conceptualize something we're calling an agreement zone. So the next year's your homework.
Then during this week, you will no doubt with your team, go into some sort of a discussion and negotiation. Some of you on this call I now or in sales and marketing.
And before you go in,
make 100% sure that before you go in, you've decided what your best and worst case would be plus the alternatives if you can't come up with a negotiated agreement
and some of you know this already. But it's amazing how many cybersecurity people don't if you sell, you got this training already. If you went to business school, you got this training in some sense already. Like for May
I'm. I went to Columbia Business School and I remember
my bent was I would listen to the
in it to the lectures, and I wanted to go up to my room and study, and I remember like I would be into these things.
I remember the joke was Come down really the way you learned businesses in the bar more on that later.
But I was always very analytical, and I got exposed to some of these things and I memorized them. And I love these kinds of models, and I think they kind of speak to people like all of us. Like this diagram
looks like the way I'd be explaining how a sim connects into your telemetry, blah, blah way. See diagrams, and we learn from it
a lot of things. Business people learn from other things, but that's why I sort of diagramed it this way, and I've seen it diagrammed in some books this way. But your homework is I really do want you to try and memorize this. Don't go into any type of negotiation unless you've thought this through.
Now I want to show you a book that I bought in the
right back in the eighties. Guy got him hurt. Colin.
That's kind of cool book like I remember liking it and I've seen this guy videos kind of likeable guy. I think the book is still out there, but one of the main message is that I remember reading was that you should be willing toe walk away
from a negotiation. Really, By not caring that much, he could see it's on the title. I think it's so funny that on the cover, and this was before Trump was president, he's saying terrific in every way, like saying the way you negotiated by not caring,
and there's some element to that. We've all been in that negotiation where somebody's like, yeah, you know, I don't need this. You take it or leave it and and that's a tough person to negotiate with because you know that that person, in a sense, really doesn't care.
But I think there's something different and something deeper.
They can either not care or you can really care.
Like there's two pictures of people that care right? And when you're negotiating with either of them, I want you to think about the depth of negotiation that you're going to deal with from Dr King or from from Ghandi vs,
a sort of surface almost gimmicky kind of negotiation where I can walk away like I don't really care. Take it or leave it. Yeah, by the house. I give you 100 bucks for that car and you want think on your butts out of who needs it? I'm gonna walk away. I get that. That's negotiation versus this kind of negotiation.
Where when Dr King is negotiating or was negotiating,
it didn't come from Yeah, take it or leave it. Here's what, not even close.
So what I'm saying is that as you think about your mission and the reason you do cybersecurity, it's not. Hey, listen,
you guys don't want toe, you know, follow what I say with this two factor and all our VPN that's your problem. Take it or leave it. You know you want to get hacked. That's your problem. Like that's not the way it should be. It should be that you believe in the mission
and that you're not walking away. The reason you do this is because you believe in what we're all about. That's the whole point. It's a better kind of vision of what negotiations should be in cybersecurity. This is surface. This is deep.
This is here. Walk away. This is I'll never walk away because this is what I believe in there really different. And by the way, I'm not saying that there aren't times when this makes sense, when I really do want to go by like I met when I met a flea market New York wandering around my wife and I would wander around little flea market
and I want I see something and it's a book and I got to give you a dollar for that.
And the guy says, Well, I really want 10. What's perfectly reasonable? Say, Listen, I I had dollar taking a leave it. I get that there times when that makes perfect sense. Then that's why I think this is an enjoyable sort of fun book,
but this is more. I think this is more closely related to what you need to internalize as you're negotiating at work.
Okay, I want you to think about this because if you're willing to walk away, you're in the wrong job.
That's what's different about what we do.
Like cybersecurity is rooted in a belief. I hope
that you're on the call here because you believe that cybersecurity makes world better.
That's what attracted you to this protecting infrastructure, making systems safe, making systems better, enabling new types of innovation, just creating a better world. That's why you do this. And that's why this picture, I think, matches up with Sensibility more, more directly.
Then the others now want to show you something that I think is a pretty interesting. I'm gonna pause real quickly. Just Krug put a couple of things here. There's some other comments here, like somebody asking about relations with other business executives and security executives, that they like them
well, just whether they will get to some of that. The personalities that he says exhibit sometimes
are are likeable or not usually not so I see that we're touching on many of these comments here. So keep the comments coming on. I'll do the best I can to try Teoh
attend to the Mist as they do come in. Um,
let's see. So this is an example. This picture is something that I think is important to look at and and the reason for it. So let me show talk tough about this picture. And it's not there for any political reasons there because I tried to think of a back channel example
because I believe it's something security people don't understand.
Here's what I mean. Let me first tell you what the story is. You probably know this one during the Cuban missile crisis.
You know, the Robert Kennedy was the ah attorney general. Ondas brother John F. Caves president and the John F. Kennedy put together ah, essentially kitchen cabinet
that had to deal with a terrible crisis that was going on between the United States and
the two brothers apparently stepped out from the negotiation, were worried that things were not going well and decided that they were going to go make a back channel call
and and cut a deal which apparently, they did involve turkey and smother them. And and the
The deal was caught in the United States and Russia came to an agreement, and
the public face was one thing. But we all learned later that the back channel negotiation was what cut the deal.
Cyber security people are the first ones, including myself,
to make fun of playing golf
and to make fun of going to a social arrangement and to make fun of building relationships at a personal level with business unit leads.
If you're like me, you don't come to that well, like I am the classic nerd who hates cocktail parties hate them.
But I found as I moved up in the organization, I had to figure out how to navigate them, and I hated them. I'd sweat bullets. My wife had to teach me
how to walk into a cocktail party. Here's what she taught me, she said. When you walk into a cocktail party
and there's all those little clumps of two people, three people, four people, they're all talking
and you're not sure what to do.
You should recognize that every one of those little clumps would welcome you coming because they're all board of the person they're talking to. That I was like, what? And she said, Yeah, like, you see those two people over there? I gotta go over there, just walk right up and say Hi, I'm Ed and you'll see in their face how happy you are
that you joined because they would rather it be a three person conversations
easier or one of them is looking to break off. You've done them a big favour by doing that. And I never knew that
I don't Tuckey. I don't go to cocktail parties. But I learned that I went Wow! Holy *** that works. And that's something she had to explain to me because we think differently. If you're techie, you think differently.
If math is the way you learn, then you need something laid out for you Deliberately, I became great A cocktail parties and people would say, Oh, my God said you're such an extra verb. Well, I wish I could be And I was I left. And I think No, you don't understand. Like I'm thinking these are all like I see too
little blobs together in this molecular structure, and I know that if I go over,
it's stronger is three or there's four people. I'll go in a structure. Five is better than four. Let's go in. I muscle my way in high Ahmed, and now the four becomes five. They all smile and I go out. It's like magic, and I would have never known that
I was always. That person walked in the cocktail party, was terrified,
looked at my phone, found some excuse made believe I had a call, ran the hell out of there because I don't want to be in the room. Now. I walk in and it's totally different. Could somebody taught me my wife how to do it?
That's a metaphor for this course
that I'm helping you with these leadership points, hopefully in language
that a Sim administrator or an encryption expert or somebody does compliance, or somebody manages the Archer GRC or somebody does help desk for two factor or somebody in I T. Operations that you can understand because I'm one of you
and I made the crossover and I want to help you do it now. The back channel here. The reason I bring this up is because just about every significant activity I can remember in the last 30 years that I was involved in
had some back channel negotiation, meaning
you cut a deal
like you're trying to get a business unit to do something. They don't want to do it. You go to the meeting. Everybody's got their arms folded like these two guys,
and then you go off
and you cut the deal and it helped. If you played golf with that person or helped, if they were at a cocktail party and you went up to them and you had a beer together and you chatted, and then two weeks later, in a problem and after meeting you called this woman or man up and you'd had a beer with them, you say, Hey, Mary, listen,
we really need you guys to be part of this proof of concept. Were buying this Palo Alto thing
and I know your team doesn't want it. You gotta freeze, but I need I need your help here,
and that's how things get done. It's not logic. It's different. And for people who think logically,
it's a hard pill to swallow because you think men That seems like a lot of work,
but it really isn't. It really isn't it could be very enjoyable. Like I said with the cocktail parties, I like going to them now. I like going where this guy who hated it. So I hope that's a useful kind of thing, that let's go through a few rules here.
Is these air really important? This is where you taking notes.
These are the things you ought to be writing down on. First is that literally anything on the planet can be negotiated. Want to give you an example? Let's say you got a bad audit. Welcome to the club, Right, You're manage something. Let's say you're in the identity access management team
because I've used as an example because every audit always includes you guys, right,
and you've got some really bad audit and you're reading it. And let's say it's one through five and one is good. Five is terrible and you got like a three. But man, you think come on three.
It should be a 23 is for losers
and you're reading it and it's not fair. And it's But you know, that audit can't really be negotiated with,
So you just let it go? But then you remember that you took the cyber everything and my good friend and said anything could be negotiated. You think about it, you know? Well, let's think about this a minute.
has a bunch of different components to it, doesn't it? Right? There is the number, the three.
All right. I mean, I can't really think in too many cases where they're going to change the number, So
let's go on. There's the right up.
Write the words that go in there.
Can that be negotiated? My experiences? It sure can. You can go in there and change the wording. You could negotiate that. How about the timing of when it gets put out that could maybe be negotiated? How about the copy to lists? Now, I know there's gonna be a minimum copy to list, but maybe there's
some things you can do there. What about the follow up actions around that
that could maybe be negotiated? How about, you know, about on on on, you get the point like maybe you can't argue the number, but there's a lot of things. Maybe you can negotiate and that you can get in there and kind of improve the situation and
feel better about what's being presented. They're going to be things that are gonna be on the auditors list that they will not by John,
they might say you, no, I will not budge on the number. That's the number we decide the number That's it. But yeah, I'll put a paragraph in there acknowledging that you guys had really made some progress in a control area before we started the audit. I guess we didn't really mention that enough. And sure, I'll make that the lead paragraph.
Why not? And then that lead paragraph is there, and then when you're explaining it to your management, you're cutting and pasting that paragraph and saying, Look, this is what they wrote and it just softens the blow. So you want to realize there is no example of anything I've ever seen
that can't be negotiated to some degree.
And as a security person, you need to keep that in mind. Do that with your team. If you have somebody on your team who goes out, they're not going to budge on this. You should develop a habit of saying, Well, listen,
anything could be negotiated. I don't mean like in a sopranos mafia way where they agree are making an offer you can't refuse. I don't mean that. I just mean there's always gonna be some room where you can find that optimal kind of that thing I showed you earlier. That agreement zone.
There's gonna be some some real estate in there that you can travel
to get Teoh. That might be a more palatable sort of thing than just, you know, saying right off the bat, You know, there's nothing that could be negotiated here.
Now a couple of questions a pop in is a good to include procurement, finance negotiation. Yeah, no question. You should be including Depends on what the negotiation is, right? I mean, if you're negotiating with finance teams is probably the closest thing to root canal that any of us do for a living.
Um, we usually don't like dealing with finance team because they accuse us of
using fear, uncertainty and doubt, and always saying areas skies always falling in. And we always accused them of, you know, penny pinching, losing dollars to save pennies
the best way I can think of to build relationships and is bike creating common understanding like, let's say you give an example. Um, let's say you're fighting with finance all the time
and you just think it seemed to get them to understand you. Let's say there's these 45 managers over there that is just driving you crazy. Well, why don't you take the next five Friday afternoons? You know, we're all working from home.
Invite each of those managers to share with your security team exactly what they do for a living. Tell us about your background. How'd you get into finance? What is your team? Dio? What's your mission? We just like to learn. Like to meet you.
Well, first of all, they won't believe that you invited them. But then once they realize that you're legit
for the next five Fridays, you get the team together for 30 minutes. You have each of those managers tell their story to you, Have they come to the company? What attracted them? And you're gonna find that they're interesting people
and that there
things that you hadn't realized. You might find out that for some of them you went to the same school and you didn't know that
where you grew up in the same area and you didn't know that
or your kids go to the same school. You didn't realize that all these things will pop up. I guarantee you, I'm is metaphysically impossible that after those five
sessions that you don't have a better negotiating position with that team. That's what I mean here. I mean, it's that you develop a style, you build a relationship, you do it and anything could be negotiated.
There's a Governor Anonymous here saying I'm on the person shifted from HR Domain into cybersecurity. I do see that I see people coming into cybersecurity that happens frequently, and you see people popping out
of cybersecurity if they're working. Sort of in the middle level organization,
particularly the I T and H are certainly isn't adjacent function. What I'm saying is, it is very unusual to see somebody in a senior position in Cyber Goto, a position that's not adjacent directly adjacent to security. So that's adjacency.
Then someone's asking about CTS, and it is similar for CTS. They are viewed as
being kind of hired guns. Let's go second rule here. A negotiation should not be a battle, and I'm not gonna get into any politics right now. But I would say if you're American, you know that I'm both sides of the aisle. There's this view that politics is a battle. So do me a favor. Do not take your cue
from any politician on the negotiation
should work. Negotiation cannot and should not be a battle.
Um, you know, here's something I remember seeing it was funny.
Like I remember somebody saying that in the way government works, you should be this thing where, in order to get
one regulation passed,
you should have to get rid of two others. Didn't really remember that. And this whole big thing, there was a lot of fighting around this. And
I remember thinking, you know something
that that's not such a good idea.
Because then suddenly, what will happen is
you're making a game of this where your regulate your regulations become
in a battle in a game.
And now you want a rag? Well, you have to get rid of to to get your new one. And I have some
so I can negotiate. I'll get rid of my regulation
and say another purse giver. There's then to go away so you can get yours. It becomes his battle game.
And when I say battle here could have used the word game like it's not this. It's not a board game where you got these poker chips. That's not the way it should be. Shouldn't think of it that way. And unfortunately, it's often that way again in politics. Maybe the sub rule to rule to would be
watch what politicians do, do the opposite If it is idea, you're battling and there's a winner and Eliza Oh my guess. It's just a terrible way of thinking and it leads us into very naturally into three, which is the alternative is women.
And and here's an example of something you should think about. And I want you to start with the image that a goal should be. That one plus one should be three.
Okay, so when you're doing negotiation win win means one plus one string. Here's the typical example. I T teams often fight with security team they just dio
on, and you know, they say they don't, but there's often a rub.
The I T team is all about providing solutions and services at low cost, very rapid and making customers very happy. Both internal next security teams air about reducing risk,
stopping threats, thwarting different types of exploits, making sure we don't lose data leaked. Protecting our intellectual property, making sure, Bobby all the things we did and the two at times will butt heads and in particular I t operations teams
well, often butt up against security operations teams. And you got this sort of standoff.
If you're involved in the negotiation around that, my advice is to stop and think, How can I make one plus one equals three? And the way to do that is to find a way to combine operations. And if you can't do it organizationally, then just make it effectively combined. Like
create sharing teams between the operations do
Like if there's an I T operations group and a security operations group in there fighting and you're part of the management team dealing with that,
why don't you swapped the two leads
necessary? Guess what? You're fighting with security ops and guess what you're fighting with. I t operations. We've just switched your jobs,
so you're each in charge of the other thing for the next six months. Go note. Don't don't argue. Just go do it.
They walk out and they've just been given the lead role on the team that they're fighting with. You get the point. Maybe that tactic might not work, but it's an example of some of an approach where you say, Look, this is not about a winner or loser. It's about two winners.
I want one plus one to be three. I don't want this to be a situation where
somebody wins and somebody loses. So think that through tape. You know, one plus one equals three onto your computer screen,
you know, right next to your little VPN password on your on your monitor.
Learn negotiation. Texas. What we went through the agreement zone you. Actually, the truth is security. People are usually pretty good at this, that usually good at learning tactics because they usually look like methodologies. And we all learn methodologies when we're learning suffer engineering school.
So we're usually good at that. But one thing we're terrible at is adopting an understanding other person's point of view. The best book of all around adopting somebody else's point of view is Dale Carnegie's How to Win Friends and Influence People if you don't have that book. And if you've never had the privilege, the honor, the
just the the experience
of reading what I think is maybe one of the greatest books ever written by a layman,
Um, how to win friends and influence People go by the book literally after we hang up.
Don't do any more work the rest of today. Just read that book. It is a spectacularly amazing book because it's all about the fact that
human beings need to be appreciated. They just dio like If you take the list, the hierarchy of needs, I get it needs or food, water and air. Get that setting aside the physical need.
The the existential need that we all have is the desire to be appreciated.
And if you can learn to appreciate others,
you will be the most powerful person in the orbit and and I don't say you should do it in a sneaky sort of way. It has to be riel and my dad gave me that book. I was a pain in the butt Little teenager my dad's sensed that there was gonna be a problem because I was that kid who would
notice things in somebody. Somebody speech. It was wrong and just point out the ridiculous. It's like my mom would say,
Well, I was a little kid. I think was like 10 years old. My mother would say something might be lost in the house And she go,
Well, it must be somewhere. And I was that annoying kid ago. Well, Mom, listen, what you said is basically a tautology, of course, everything somewhere. And you just want to swat that kid right?
Instead of learning to climb into somebody else's head and think,
you know what other point of view I remember This is really wonderful.
Um, book I read it was one of these leadership books
and about a paradigm shift. I forget who wrote it. Not one of you probably popped the name of the book into the chat. Here is about a guy who's on the subway
and he's trying to read his paper, and there's a guy across from has got a bunch of kids and they're climbing around and being annoying and making noise. Guys trying to read his paper and finally says across the that. Hey, listen, man, I'm trying to read my paper here. Your kids are making a heck of a racket here. Could you please just make the kids shut up so I can read my paper
and the guy looks up and he says, Oh my gosh, I'm so sorry
he goes, I I we just came from the funeral home. Their mom just passed away and I wasn't paying attention. I promise. I'll ask them to be a little more quiet. How do you feel? Is that newspaper guy now? And in the book I remember is called a paradigm shift,
you feel about as low as you can get.
And the next time you walk into a conference room and you want to rip somebody
think about that for a minute. You know you don't know what's going on in their life that could have a sick kid. They could have something terrible going on, for God's sake.
It's negotiation tactics. Developing understanding of that person's point of view learned to climb into their point of view, and you're gonna be so much better at all of this and a bunch of gate. Geeks like us are terrible at that.
Number five is this is that this is a tactical one. If you're in sales, you learn this one, and that's when you're negotiating. Make it really hard for him to say no and get to yes, early, right? So if you can figure out how to, it's like there's even a book called Getting To Yes, that's pretty good.
If you're in sales,
then you like to do that thing I have listed here. Sell the meeting first, then the product, like cell. Simple stuff. Let's say you're trying to convince a your entire company to do,
um, some more intense security awareness training. You want them to adopt this fishing thing that you're going to dio and it's gonna be a little bit of a pain, but I make you all do it well, instead of just dropping it on everybody.
No cell, the concept first and sell a little bit of it and then sell that you want to get people kind of saying yes early
and make it hard for them to say no. You always say Davis and we're on the same team, right?
we're both really trying to make things more secure, right? Yes. You know, that kind of thing, that God, that's admittedly a tactic. But it's a habit that I think when you adopt, will make it easier for you to get to. Ah, more successful outcome.
This one were awesome at right. So security people show up the negotiation with data way, giving pretty annoying when it comes to this one, right? This is this is this is where we are about as good as anybody. We come
data and charts and materials and of anything.
I would say that for us, this rule is something that maybe we want to back off. I'm famous for this one. If anybody's ever negotiated with me, you know, you come in
to the room and I'm gonna have a bigger power point deck than yours with more charts and graphs and this and that, like with, uh, cove in 19. You know, I live in the New York New Jersey area. I look at data, you know, and I download and collect data, and I'm trying to make decisions
about my own business.
And and I don't like to make it based on my gut feel. So with my team, you know, we're all getting antsy. You want to get back into office in New York. I negotiate with them based on the data not based on our gut feel. But let's well, we're all in agreement
that we're going to make some decisions based on what you see
and its data, and it makes it easier if you've got that data. So this is an easy one. Here's one that's not so easy. This is one that cybersecurity people often fall for. Ah, good negotiator understands deadlines and then given example. Remember, in the 19 nineties, there was a lot of chatter around
how in the US
we were spectacularly bad
at building quality into products and into doing business. But we admired these Japanese kind of styles rumors, but called theories e
that I read in business school about how a more Japanese style of leadership waas considered appropriate at the time.
And it's funny how in those days you were happy toe wing around these generalities about a country or a style. It was really a different time. If you go back and look, it was the head of Stanford's business school wrote this book called Theories E.
But the example said he was giving, and it did does not apply to any particular culture, but it might be applied to you. Is that
Let's say you fly into a region to do negotiation
and everybody knows you have to get a deal.
And you set things to come out on Monday.
You're gonna have dinner on Monday afternoon.
You're gonna have drinks Monday evening. You're going to get back to the conference room on Tuesday. You're gonna finalize the deal, and everybody knows you have a flight back on Tuesday.
So you fly on Monday, fight on Tuesday,
and we also know that you got a town hall on Wednesday. So you have to be back then.
So if I'm negotiating with you, how important is it for me to cut a deal with you on Monday?
It's not. In fact, I'd like to just have a nice time with you on Monday,
not even discussed the negotiation during dinner.
Have some nice drinks. Have you should shop let you go to bed Monday night thinking Whoa. I really haven't cut a deal yet.
And then you show up Tuesday What's the first thing you're doing saying Hey, listen, we got to get a deal here. I got a flight out of here to clock. But when you show up Tuesday, the first thing I do is I say, Hey, listen, our senior leaders air here, they'd like to meet you. Is it okay? They came in specifically for this. What are you going to say? You know. Okay,
So now you've wasted the first half of Tuesday
meeting their senior leaders. Now it's noon
and you have to leave now to get to the airport.
And they say, Oh, by the way, I guess we should be Cutting a deal shouldn't way.
Here's what we would like
And you've got about five minutes to get to your cab.
You get the point
like that. Someone who understands deadlines. It's a little devious. I don't like it.
I wouldn't do it. But when it's being done,
you need to understand That's the rule. I didn't say Use deadlines to your advantage, right? I'm just saying,
understand them. Understand your own deadline. Estimate their deadline. Just understand them. Be reasonable about this. But if you see it being done, what would be the right thing to do in that scenario to say. Well, listen,
I have to be back. I had hoped to cut a deal with you guys. I loved being out here and meeting you. We had two great days. Let's consider this the pre work.
A real negotiation. Why don't you fly out, visit me next week and let's let's really did negotiate because, you know, I think it was great that we had a nice meal yesterday. Nice drink. Blah, blah, blah, blah by you get the point, and then they're gonna suck. Uh, okay, fair enough. And then you fly home
and they realize that they're dealing with somebody who understands negotiation that you're not gonna
squeeze a negotiation into five minutes. When you allocated two days, you're glad that you made friends with them. That's great. Hey, you fly out, visit me next week, you get the point like understanding that
is part of being a good executive and understanding how to negotiate. And then the last one is the most important one.
And that's that you connect on a personal level organizations or different than people.
We are all human beings. That's why the Dale Carnegie book is so wonderful
because he helps you understand
that human beings drive things. There's this, this little rhyme I remember he puts in the book that some life insurance company had taught its sales person. And it's so silly because the book was written like the thirties and forties. This is so silly, but I remembered it. It's
and it says man, because in those days everything was so sexist. But it was, Ah, man convinced against his will is of the same opinion still silly. But it sticks in my mind cause it's true, right? You gotta connect with somebody, figure out who they are, learned what they're about. Listen,
you know, connect at that personal level and you may find that negotiations just happened. You know, you get these wonderful results because you're dealing with somebody that you've connected with now. But I look and see if there's any Q and A here that I may be having a dress.
It's a little awkward. Is a so many things here this fairness commit the negotiating. Still, of course,
being unfair, ridiculous and fair means when win when I see someone negotiating
with the assumption that there is going to be a winner and there's going to be somebody crushed like I win and you freaking lose. I am going to crush you then that's not a negotiator. That's a despot, and that's not the way you should be doing it. And we all know that. We see that,
Antonio, thank you. That was Stephen Covey's book paradigm shift, and that's a really nice
books. If you haven't seen that, you have great insecurities. Great cup to be a great leader, good point and culture when negotiating, have culture, behavior and ethics influence, yes, culture, behaving ethics and totally influenced the way
you know, people work together or don't work together. And you should quit an organization that has a culture and ethics that don't line up with what you're doing. I think that that's really, really important,
Um, to make sure that you line up properly. Which bucket do you fall on? Let's close with that. Um, you know, we're a the top of the Ari asking about me. Um,
I'm a tech technical. The person I was that person who pushed everybody out of the way in sixth grade when it was time to like make the project
and I see the other kids and I'm like, Look,
you guys were going to just color outside the lines and do it wrong. Why don't you guys go out, go to recess early? I'll do the project. And I was the kid who always felt like I don't need to have a group of people around me. So when I became a senior leader, I had to fight that tendency
to say I could do this all myself
And that boy did. I learned I learned that I have so many weaknesses and we'll get to some of these in later discussions around how you put an organization.
Hopefully, I get back into my office soon where have a nice, clean broadband. But I guess we got through 59 minutes leave without me dropping. So that's good news.
Well, I could speak for everybody here. I really enjoyed it, and I think everyone else did here and were very much looking forward to next week. You bet we'll see. We'll see everybody next week, and I hope people enjoy the enjoy the course
Certified Information Security Manager (CISM)
A CISM certification shows you have an all-around technical competence and an understanding of the ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered