During one of the recent live Q&A calls for our ongoing “Building an Effective Security Program with SABSA®” pilot course, someone asked the following question:
“Now that we have some tools and frameworks to help us understand what the organization’s customers really want, how do we really use these with security customers [the “business”] so that we understand what they’re trying to do and how we can best support them.
“In my previous experience, you often go to a stakeholder and when you try to get them to tell you what they’re really trying to or why they want to do something, they just come back and ask you, ‘Why are you asking me this? You’re security. Don’t we already have a solution for this from IBM we already bought? Why aren’t you just using that instead of wasting my time? You’re just going to end up using what we already have anyway…’
“What are we supposed to do to really engage with them so they don’t just blow us off because they already have a solution in mind?”
Tough room, right?
I know I’ve been in this situation too, so I knew just what he was talking about.
And it doesn’t seem to matter what the subject really is, you can get a common vibe when talking to “the business” as security or even IT.
I remember many client meetings I had with business owners when I was an Enterprise Solution Architect (covering 5 different domains, including security) working on big public sector projects for well-known consulting brands when this sort of thing would come up.
The customers would be very descriptive as to how the solution should work or which components should be used.
Now think for a minute…
Why would they do this?
It’s probably not for the reasons you may be thinking.
They weren’t trying to get us out of their office (or the meeting).
They weren’t trying to do our jobs.
They weren’t even trying to drive us crazy (although that certainly is a common outcome).
You see, in fact, what they are doing in this situation is actually trying to *HELP* us.
Yes. They’re trying to be helpful.
It comes back to one of the biggest problems security and technology people have: because we don’t understand the business, we don’t do a very good job engaging with them on their terms.
Since we can’t talk to them, they try and use our language to “help” us by talking to us in our terms.
You know, those technical terms like “firewalls” and “anti-virus” and “[insert the last technical or security word you heard come out of a stakeholder’s mouth here].”
And it’s our fault, too.
We’ve trained them to do this. And we’ve done it in part because of the underlying credibility problem we’ve talked about before.
But in this case, we need some specific tactics, not just an awareness of what we need to build.
So, back to the question: what do we do to engage stakeholders so we understand what they’re really trying to do rather than telling us what they think the solution should be?
The answer is that we have to come to them. It’s the same answer that’s been around for 30+ years, but yet, somehow still seems to be elusive as flying pigs.
We need to learn about the business. Because if we don’t know it, we can’t ask questions that make sense.
And if we can’t ask questions that make sense, then we’re not going to be adding value.
And if we can’t add value…
…we’re going to be told what to do.
It’s not easy, and it’s not quick, but there are some shortcuts.
Fortunately, given a few common models and some basic concepts, you can transform your engagement with business stakeholders in these kinds of situations completely.
Not only do we dedicate a whole 2 weeks to solving this problem in the course (it’s the subject of Module 2), but it’s also something that I’ve worked with every customer to improve on probably every engagement I’ve ever done.
If you’re currently having trouble relating to stakeholders or you’re getting tired of them assuming they know what you and your team should be doing to help them the most, then maybe it’s time you got some dedicated support.
We’re not planning on running our new course again for a few months, but you CAN get the same kind of information along with a lot more direct support for your own situation right now as part of our dedicated Security Leadership Coaching program.
The details are here: https://archistry.com/go/SecurityLeader
…and if I can’t help, I pay you.
So if you have any specific questions about it or anything else, just reply to this email.
Until tomorrow…
ast
—
Andrew S. Townley
Archistry Chief Executive
