10 essential negotiation tactics CISOs should know

CISOs are constantly in negotiations, whether it’s to draw up vendor contracts, developing strategy with C-suite colleagues or drafting workplace requirements with newly hired direct reports.

“Pretty much everything I do involves some negotiations. It’s much wider than just doing contracts,” says Gerald Beuchelt, CISO of tech company LogMeIn.

Yet Beuchelt and other security leaders and negotiation experts say that many executives still fall short on skills in this area, often using arguments instead of diplomacy to try to force through unnecessary requirements while caving on their critical needs.

They advise CISOs to reframe their approach to negotiating, saying that CISOs who want to be better negotiators should see it as an exercise in trade-offs instead of a battle of tug-of-war in which there’s only one winner.

“It’s about finding deals that are valuable to all sides involved. It’s trading things that are of lesser importance to you to get something that’s of more importance to you,” says negotiation expert Brian Buck, CEO of Scotwork North America, a negotiation consulting firm.

To do that, Buck and others share the following 10 tactics:

Recognize it’s a negotiation, not a debate

Jenai Marinkovic, who serves as CISO for Tiro Security and other organizations, finds many in business don’t realize they’re in a situation that calls for negotiation; instead they think they’re in a debate.

“A lot of people think they’re arguing,” she says. “And if you’re doing that, you’ve lost valuable ground, because with an argument, it’s an exchange of ideas but there’s no action but to persuade others to see your point of view. When you’re arguing, you’re trying to be right.”

To counter the potential for that mentality, Marinkovic strives to maintain situational awareness and to thus recognize when she’s actually stepping into a negotiation.

“In a negotiation, you’re trying to get something done, to get the other party to take certain actions, whether it’s to pay for something or to support your objective,” she explains. “But if you’re arguing, you’re not working on that goal.”

Build trust

Gregory J. Touhill, an adjunct faculty member at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy and a retired U.S. Air Force brigadier general who served as the first federal government CISO during the Obama administration, advises other leaders to be straightforward, honest and transparent in all negotiations. He says those traits build a trust that can help carry negotiations forward to the best scenarios for all involved.

“Building a level of trust is crucially important for establishing an enduring relationship,” he adds, noting that the tactic pays off particularly well in times of crisis.

He says he has seen colleagues have to renegotiate terms and fees when they hit financial problems – something they could successfully do because the other side trusts that they’re being forthcoming about the challenges they’re facing.

Envision what you want

Marinkovic talks about “visioning”: articulating what she wants out of a negotiation and the objectives she’d like to achieve. That, she says, gives her a target to shoot for during discussions. “I define what success looks like for me and all the parties involved,” she adds, noting that this step can be done quickly when required, as the need to negotiate can crop up at any time.

Others offer similar advice, saying CISOs should articulate goals and what they’re willing to trade to get them, weighing values against risks to make those decisions.

Furthermore, they say good negotiators identify the stakeholders who have an interest in the outcomes, which of them should be involved in discussions and what they need from the negotiations to assure everyone is aligned.

They note, too, that negotiators who don’t know exactly what they want and what they’re willing to trade to get it will likely be unsuccessful in developing agreements that work well.

“If you don’t have a good idea of the purpose, the agenda and the desired outcomes, then you put yourself at a disadvantage and you might get a result you didn’t anticipate or want,” Touhill adds.

Discern the other side’s needs

Altitude Networks CEO and co-founder Michael Coates says people often start negotiations believing that they know what’s most valuable to the other side. But their assumptions are too narrow or just plain wrong.

“You have to understand the incentives and motivation on the other side,” says Coates, who previously served as the CISO of Twitter.

For example, security teams often assume that vendors want to negotiate the highest possible price when in fact some vendors might be more interested in signing longer contracts even if it means a lower annual price tag, or getting CISOs to offer testimonials, or using a customer’s corporate name and logo in promotional materials.

“Most people don’t understand the items of values that potentially can be exchanged. They just assume the only thing a company cares about is the dollars in the contact,” Coates says.

To that end, Coates says CISOs should research in advance what the other side values and then they should straight-out ask during the negotiations.

Prepare

Effective negotiations require good preparation. As such CISOs should not only know their objectives but think through what they’re willing to cede as part of negotiations and how they’re going to approach the upcoming discussions.

A former diplomat, Touhill says he and his team established agendas, drew up talking points, deduced the other side’s points and rehearsed their dialogue in advance of actual negotiations.

“It wasn’t a line-by-line script but we knew the messages we wanted to convey,” he says. “And we knew where our red lines were, the things we were willing to give up and the things we knew that were negotiable.”

Put aside assumptions, learn to listen

Good negotiators learn to put aside preconceived notions and unverified assumptions in order to understand what requests, ideas and solutions that the other side might be seeking, Beuchelt says. They also learn to listen so they can determine opportunities for consensus as negotiations unfold.

“You have to be ready to put your own ego away and be very open and mindful of new ideas. That’s hard for everyone, because people are set in their ways and when you’re asked to change, it’s not easy. But you need to exercise that muscle and be conscious of it,” Beuchelt says.

Such efforts pay off, according to Buck, the negotiation expert. He cites one scenario where the CISO wanted to implement an email retention policy limiting the time that emails were held; the company’s financial department resisted. The CISO delved into the reasoning behind the finance department’s opposition, learning that the finance team used emails as a de facto records retention solution. Once the CISO understood that, she was able to offer a real records retention solution that met her security requirements, thereby getting the finance department to agree to the email storage limits that she sought.

“Because she understood the priorities of the other side, she was able to negotiate their full support,” Buck says.

Trade against your logic

CISOs, like many other tech professionals, can get stuck in thinking that others need to think the way they do and that others need to share the same logic. But Buck warns against believing that.

“CISOs can get trapped in trying to get people to think the way they do and then they get bogged down,” he says. “A CISO has to move past that. You don’t have to endlessly debate.”

He advises CISOs to trade against their logic, taking an “if this, then that” approach instead of trying to change people’s minds.

Imagine, for example, that a business unit leader wants to use an unvetted platform. Buck says a CISO might want to explain the logic behind the security risks. That, though, might not change the business unit leader’s mind on the matter. So instead, the CISO should negotiate by ensuring both of their interests are adequately addressed. In that case, the CISO could respond by saying if the platform is deployed, then its functionality has to be limited to what’s been proven to be secure.

“You give the party something on terms that are acceptable to you,” Buck says.

Buck acknowledges this approach might not work on every security-related item, but it will work on most.

“If something is absolutely mission-critical [for security] and it can’t be done any other way, then it’s [absolute]. But that doesn’t happen very often. Those absolutes don’t exist as much as we think they do,” he adds.

Think through different potential scenarios

A skillful negotiator starts with current and projected needs but also considers a broader range of potential scenarios that could impact those requirements, says Todd Graham, vice president at Venrock, a venture capital firm, and former head of corporate strategy for Cisco’s security and collaboration businesses.

“CISOs need to consider what happens if a vendor is acquired or goes out of business, so when they’re negotiating, they can [address those potential scenarios],” he says. “In fact, if you’re a CISO, most of your day should be spent asking, ‘What if?’ So, once you’ve considered all the possible outcomes and then the likelihood of those outcomes, you can negotiate for them.”

For example, Graham says most CISOs negotiate exits as they start new jobs, typically specifying severance pay and other such benefits, but they should also consider how certain possible scenarios – such as a data breach – would impact their roles and whether they want to retain their jobs in that case so they then can negotiate for those potential circumstances.

Keep emotions in check

The need to keep emotions in check should go without saying, but veteran leaders say they still see colleagues let their feelings overtake rational thinking during negotiations.

Marinkovic, for one, says she has seen others get angry or threatening as discussions get difficult, which then leads to communication breakdowns and strained relationships.

She has also seen the opposite: with people feeling overly confident and enthusiastic about the discussions, which could indicate they’re not thinking as level-headed as they need to be.

The other side, she warns, may be counting on that to turn the negotiations to their advantage. She says she has seen negotiators bring up past workplace issues such as data breaches or personal problems to play on someone’s emotional responses. To that point, she recites one case where a security firm’s sales team successfully used scare tactics during negotiations with the enterprise security leader to get a contract that delivered superfluous technologies to the client who later recognized it as a million-dollar mistake.

Similarly, she has seen negotiators research potential connections – such as a shared interest or a common alma mater – to cultivate a chumminess that they then exploited.

Not everyone is out to exploit the other side’s emotions during negotiations, Marinkovic says, but it’s always better to remain calm and collected as well as focused on the end objectives to ensure you’re negotiating a good deal for your own team.

“We have to manage our emotions, and if you lose control, it’s then that you need to realign and ask if [the current discussions] align to your goals,” she says.

Don’t aim to win

The object of a good negotiation isn’t to best the other side, according to seasoned negotiators, but to develop a pact that both sides are willing to implement to the best of their abilities.

“Don’t look at a negotiation through the lens of who won. In a negotiation you need everyone to leave the table happy,” Marinkovic says. She learned that lesson from a former boss, an impressive negotiator who advised her that relationships are one of the most important commodities that an executive has. “So, when you’re negotiating, you need to take care of that relationship. You can’t come at it thinking ‘I won’ or bargaining too hard or not making sure all parties come away feeling successful.”