Presented with a choice between having influence without power and power without influence, more people would likely choose power over influencebrute strength over persuasiveness. Others would reasonably argue for a third choicebothbut the best choice isn't always available. And security professionals, who are often saddled with more accountability than authority, are among the class of businesspeople for whom the best choice may be least available.
Thus, developing the ability to exert influencethrough negotiation, persuasion, advocacy and communication (including listening)is indispensable in achieving the goals of security, many of which revolve around changing the assumptions, behavior, culture, and processes of organizations and people. In that light, when you consider all that the adroit exercise of influence can accomplish, it may just be more powerful than mere power.
Finally, to put it delicately, although women face the exact same challenges as men in terms of selling the value of security programs, they also must deal with the added complication of gender in environments that are frequently overwhelmingly male. So while the need to develop the skills of influence is shared broadly across the profession, women may feel the need more sharply, and pursue those skills more avidly, precisely because they are women.
CSO is therefore proud to sponsor the Women of Influence awards, given annually at the Executive Women's Forum (EWF), an event founded by Joyce Brocaglia, the president and CEO of executive search firm Alta Associates. Four Women of Influence were honored last fall at the EWF event held in Phoenix. The awards were given in four categories: Corporate Practitioner, One To Watch, Private Solutions Provider and Public Sector. CSO Editor in Chief Lew McCreary joined Brocaglia in bestowing the awards. After the event, McCreary spoke with each of the women about their work and the importance of well-exerted influence to their achievements.
Pamela Fusco - Corporate PractitionerFormer CISO, Merck & Co.
Exercising Influence: "Part of what I do for a living is influence younger people on how to come into the security community and what part of it they fit into. When people find out you track hackers for a living they get really excited. They think it's a great job, and they want to do it. I like to sit down and talk to them at high schools and universities, explain to them the different areas of security and understand what they want to get out of it, help them see where they fit into the security community.
"[An important] part of influence is influencing those who are not in the business. People such as my mother and grandmother. I've done presentations at assisted living facilities [where] I'm helping senior citizens understand what identity theft is. That's a lot of fun. They really listen to you, and they really care.
"Influencing senior executives I think is the most difficult piece of all. You have to really show that you know something. You have to have factual information with some power behind it, [explaining] what the state of security is within your company."
Influencing the Security Future: "If you don't know where information is, or what happened to it or who touched it, you're in big trouble. So [using a tracking technology analogous to] RFID in a document is absolutely essential. I believe that just as with RFID technology in products [in the supply chain], we really need to integrate that into intellectual property. I'm not just talking about tracking change management on a document in Microsoft. I'm talking about actually [capturing data] anytime a document is touched. Adobe has a platform by which they do that with a PDF file, with digital signatures. It gives you a history of who touched [a document], who looked at it, what was changed, when it was changed. So, with data that's been at rest for five to 10 years, you access a document thinking that it just sat there that long and no one's touched it. In reality, you'd be able to check to see if that's true or not."
Susan D. Lutz - One to WatchCEO, ELI (Electronic Lifestyle Integration)
Exercising Influence: "I think I sold the first firewall appliance in the industry [back in 1993]. And it took a tremendous amount of education. I can remember us bringing in hackers and telling [prospective customers], Look, would you give us permission to show you why you need a firewall?'"
Lutz offered free trials to prospects who were skeptical of the need. "I'd say, I'm gonna come back in a week. And if you don't like [the firewall appliances], I'm gonna pull them out. And if you like them, you can buy them.' From there, we sold hundreds and hundreds into major financials and pharmaceuticals, and in any other industry you could think of. It went from zero to tens and tens of thousands of firewalls." By doing this, Lutz took risk out of the transaction. "And that was key. It took a tremendous amount of influence to convince a JPMorgan, a Bank One, a Citigroup that they needed to do something completely new and industry-breaking. That was my first experience of influence."
Influencing the Security Future: Through ELI, Lutz is focused on security for the underserved and underenlightened home market. "The area that needs a tremendous amount of education and influence is definitely the consumer market. It goes back to having the passion and believing in it. It's going to take a lot of influence to get a consumer to understand that they need all these security features, when our [security] market is confusing the heck out of them."
Technology for the home has "got to be customer friendly, it's got to be plug-and-play, it's got to be all-in-one, it's got to be nonintrusive, and it's got to [require] no user intervention whatsoever. And it has to be a managed service, because a consumer doesn't understand the difference between a hacker, a virus or a worm, or a spyware attack or a phishing attack.
They don't know the difference. They go buy a new PC, and in 15 seconds they're violated."
Sarah Gordon - Private Solutions ProviderSenior Researcher, Symantec Security
Exercising Influence: "I've tried to influence people to integrate science into their work. With antivirus testing, it used to be simply running scanners against collections of viruses when external tests were run by magazines. Sometimes [they'd] use files that they'd gotten from the Internet. Or they'd use files that people had given them. Sometimes they were corrupted filesutilities, maybe even text files. [Around that time] a researcher named Joe Wells had started something called the WildList, [consisting of] viruses in the wild. I got together with Joe and expanded that concept into something called the WildList Organization and built this information-sharing network. Now all of the vendors share their [virus] samples worldwide. But I also created something called the WildCore, a set of all the replicated viruses from the different vendors. [These are] available for redistribution to qualified testers. So [security or IT] magazines were then able to contact these testers who actually had the real viruses to run tests on detection. That made a huge difference, because now users could look at valid tests, scientific tests, based on published methodologies."
Influencing the Security Future: "When I became involved [in security research], all approaches to the problem were technical. The trouble with that is that the problem is not solely technical. It's also behavioral. There's a lot of focus in the work I've done on profiling and analyzing the behavior of bad guys. I think this helps because if we understand the people who do this, we can understand what sorts of technical, legal and social remedies might be useful in solving the problem. The most important thing I'm doing lately involves influencing young people to take active roles as good guys.' So I've been lecturing at universities, high schools, middle schools. At Symantec we've worked with developing curricula that incorporates a multidisciplinary approach that mixes legal, technical, educational and social aspects. Technology is very important, but the problem is not just technical; it has many facets."
Annie Antón - Public SectorAssociate Professor of Software Engineering, North Carolina State University
Exercising Influence: "My background is in requirements engineering. So my training has always been in understanding what people want in a system. What are their needs, and how do we go about satisfying those needs? It's very clear that there's a natural tension between the concerns individuals have about the collection and use of their sensitive information and the concerns that companies and government agencies who collect and use that information have. When I first started working in this area I had a very naive and idealistic view that we could satisfy everyone. But the solutions that will satisfy the public are really in direct conflict with what companies and government want and need. So I put together a team at N.C. State [consisting] of a sociologist, a lawyer, an economist, and we're basically working toward social, technical and legal solutions that can help satisfy all of these conflicting viewpoints."
Much of Antón's work addresses the problem of how well business policies are reflected within technology systemsfor example, does software support compliance? "Everybody has these little checklistsyes, we're encrypting, yes we're doing this. But are they really really satisfying [these conditions] inside their systems? I would say they're not; we hear about breaches all the time. So we're trying to develop tools and methodologies that will help companies actually be able to enforce that compliance with confidence."
Influencing the Security Future: "[I'm interested in] getting the public to understand threats to security and privacy. We've been trying to do that at The Privacy Place [www.theprivacyplace.org]. Also as a country we need to increase support for researchwe need to establish some formal repeatable mechanisms that we can use for measuring and supporting security and privacy."