The power of the coffee meeting

One question that’s come up in almost every discussion about Enterprise Security Risk Management (ESRM) is, how do I gain the commitment from this new approach to security?

Whether it’s from your team, your peers or your leadership, commitment helps ensure your journey to enabling a risk-based, business-focused security program will face fewer obstacles.

I’ve experienced the benefit of having an organization fully support a risk-based approach, and felt disappointment in other enterprises that didn’t see the value. It’s so hard to understand why an organization can’t appreciate the difference a risk-based approach will bring.

My first reaction early in my career was personal — that it was an attack on me! But I’ve come to a different understanding now that I’ve spent more time in my career and developing myself.

It’s incredibly hard to change the minds of executives in some companies! I’ve run into that wall a number of times, and felt emotionally exhausted trying different tactics and approaches. Years ago, I thought I could force change upon an organization. Sadly, that just left me questioning my skills as a security professional.

I thought I did something wrong, or executives didn’t care about security if they can’t embrace my recommendations. I forgot our profession is about dealing with humans — the buildings they design, the code they write, the products they want to sell. As soon as you bring people into the equation, you have to change your approach and focus on the human element of security.

I enjoyed the greatest success in changing a security culture when I approached the program from the top down, and the bottom up. It meant more work, more communication and more training, but was worth the effort.

I started spending time with peers and supervisors in not only my department, but other teams. I’d book coffee meetings to chat with these folks about their departments, how they interacted with the security team, and what they worried about. During those coffee meetings, I learned so much about their team, their struggles, and what they aspired to achieve.

I’d take that information back to the security team and begin assessing these risks to look at ways our security organization could help. We were able to find some quick wins to help the other departments — a change in procedure, or engaging the security team earlier in a project. Some problems were more complex or involved multiple departments.

One option I used for those situations was hosting joint workshops focused on resolving a common risk. I was always fascinated to see these workshops unfold, and the barriers between teams drop as I watched participants jointly develop a practical solution. I remember some of those sessions being particularly stormy for the first few hours, but the sky would break and reveal something extraordinary. Those sessions were pretty special to me, and I remember participants leaving the workshop with a renewed sense of teamwork.

When I turned my attention to executives, I’d spend time with my leader, describing the value of a risk-based program and how security can become a trusted advisor to leadership. Once I established that trust over time with my leader, I asked for introductions to their peers so I could spread the ESRM message to the executive team — one coffee meeting at a time. This approach took more time and effort, but it meant we found common ground focused on trust instead of fear.

Focusing on the human element of a risk-based security program makes you more vulnerable professionally — but also more human.