Latest Blogs

All Blogs »

Managing Difficult Infosec Conversations

January 11, 2017 | Team Structure and Management
By David Kolb, IANS Faculty

CISO Impact

Information security teams make a big promise — to safeguard critical assets across space and time. To keep that promise, they must influence their companies — from the corner office to the loading dock — to adopt safe business practices. IANS researches and analyzes this challenge, and has developed the CISO ImpactTM initiative to help information security professionals keep that promise. At the root of this challenge, our research finds the imperative to master two capabilities: Technical Excellence and Organizational Engagement. This Faculty Report is one in a series of reports that focus on challenges in mastering the 7 Factors of Organizational Engagement (see Figure 2).

CISO Impact Framework

The 7 Factors of Organizational Engagement

Executive Summary

This report offers a method of handling challenging information security conversations by breaking the process down into four elements:

  1. Understand your own frame of reference – perceptions, goals, experience, etc. – as step one in preparing for a challenging conversation.

  2. Deliver a prepared and focused “change” message that accounts for the other person’s perspective on the issue (i.e., the readiness of software for production release).

  3. Productively handle the “primal response” – yours and the other person’s – as the clash of perspectives and frames of reference play out.

  4. Learn to actively listen, effectively assert, and bring the interaction to a productive and mutually satisfying conclusion, based on influencing with integrity – not coercion or manipulation.

Information security professionals sign up for some daunting challenges. Building a toolkit of “soft skills” alongside technical expertise will make the difference in meeting those challenges. Handling conflict with stakeholders and peers is one of those critical soft skills.  

Difficult Conversations are Elemental to Information Security

The term “difficult conversations” is both an HR buzzword and a reference to a basic reality in the workplace, and life. Whether delivering or receiving a difficult message, these interactions are uncomfortable, sometimes hurtful and frequently unproductive. Information security professionals, because the charter is to change how the business runs, naturally find themselves in difficult conversations – in fact, most frequently they are the ones creating conflict with a “no,” “not yet,” “not that way,” or “yes, but if you do it this way” message to a process or data owner.

We break the process of managing difficult conversations down into four parts:

  • Understand your frame of reference
  • Deliver a well-prepared and focused message
  • Handle the primal responses – yours and the other party’s
  • Influence with integrity

In this report, we detail each of these elements and bring them together to arm you with a proven approach for managing difficult information security conversations.  

Figure 1. 4 Elements of Managing Difficult Infosec Conversations

1. Understand Your Frame of Reference

Most information security professionals live interruption-driven existences. To help you better manage difficult infosec conversations, we start with the idea of “going slow to go fast.” Before you jump into a discussion in which you might anticipate friction, you need to prepare by considering:

  • What’s important to your audience?
  • What will make them truly listen to you?
  • How can you tailor your message to them in the most effective manner?

This means taking time to understand your stakeholders’ key concerns and resistance points, and using that insight to craft messaging that more quickly moves the process from “problem” to “problem solved.” Your reality is a construct of your frame of reference. Frame of reference derives from many factors (see Figure 2 below). Different frames of reference can lead to conflict, so it’s important to slow down and pay attention to your frame of reference and that of your audience or stakeholders. Pay particular attention when your frame of reference may be different.


Figure 2  Elements of Frame of Reference

At the end of the day, despite the fact that you work for the same organization, you most likely have different goals and priorities than the stakeholder you are meeting with.  

You need to think about out where the conflict might appear, because you are delivering what may well be perceived as bad news. Knowing your stakeholders’ needs, wants and desires, and communicating that understanding to them, helps you overcome resistance. It also helps you build and communicate the right messaging, and create collaborative relationships that solve problems in ethical ways. 

2. Deliver a Focused and Well-Prepared Message

The second step in the process of handling difficult conversations – after identifying your frame of reference and that of your stakeholder – is the actual delivery of the message. The individual steps that go into the delivery of your message include (see Figure 3):

  • Preparing the message
  • Examining your intentions and internal state
  • Being present and eliminating distractions
  • Asserting effectively (specific, succinct, generous)
  • Listening and clarifying
  • Dealing with responses (your own reactions and those of others)
  • Keeping commitments
  • Circling back

Figure 3. 8 Steps to Deliver an Effective Message


3. Handle the Primal Responses – Yours and the Other Party’s

This is the crux of managing difficult conversations: handling the other person’s primal response as well as your own. Your goal is to move from what we are calling the “primal response” to what we will call a “human interaction.”

When stressed, the human brain goes to its most primitive part, the Amygdala. Essentially, primitive humans had a few choices: fight, flight or freeze. When a stressful situation occurs, the brain releases cortisol and epinephrine so the body can react appropriately or sometimes inappropriately. What’s interesting about this is that it doesn’t matter the degree of stress; the brain responds the same. If you are confronting someone with a difficult message (i.e., you need to spend money, push timeframes or increase resources), the other person’s brain is going to have a primal reaction in the heat of the moment.  When that happens, you have a similar response. These are the two primal responses you have to manage before you can get to the human interaction phase of the conversation.

Let’s take a look at three specific primal responses you may encounter:

  • Fight: The person attacks or deflects your message. They make it about you, blaming “your stupid team.” Other components of the “fight” response could include:

    • Detailing – Bogging you down with unnecessary details while you try to deliver the message

    • Impracticality – “Sounds good, but we just can’t do that here”

    • Methodology – “It won’t work for us”

  • Flight: This type of response can include:

    • Solutionizing – Going to the solution too quickly with no commitment to act

    • Intellectualizing – Shifting to theory and spinning hypotheses

    • Changing the subject – Just that…”there’s something shiny!”

    • Timing – “This is a bad time to do this…maybe in a few months”

  • Freeze: This response is typically characterized by:

    • Silence – Flat effect, no engagement, waiting for you to go away

    • Compliance – Happy to help, but no follow-up or commitment

    • Confusion – “What?”

When dealing with these types of responses, you should try to deflect aggression, clarify, listen, focus on the issue, be persistent and reframe the discussion. If someone engages you with the “freeze” response, for instance, paraphrasing can be helpful. For example, “I can see that what I shared with you is a shock. Can you please further explain why you reacted this way?” You need to be able to be comfortable with silence. One strategy, in the case of a “freeze” response, can be to give the person some time to think and reflect: “Let’s get together again tomorrow morning.

To build trust, enter these conversations prepared to suspend your agenda, so that you really can listen in a non-judgmental way. Be curious, ask questions and paraphrase what they have said so that they know you really understand their frame of reference. Be patient and allow the individual sufficient time to process what you’re saying. Eventually, when you focus them back in and assert your point of view, they will be less resistant and more open to hearing your frame of reference. Going slow in the early stages to go fast during later parts of the process will move you toward a human interaction, getting to a place where you can influence the other party toward action while building trust.

4. Influence With Integrity

There are a number of useful influencing tactics you can use and many people are unaware of them. We each have a few “go-to” tools we are comfortable with that align with our operating style.

Consider the analogy of golfing with only putters in your bag. You need to be able to pull out the wedge, 7 iron or driver depending on the shot. In this same vein, you need all of the tools to successfully influence the person you’re speaking with, not just the one with which you’re most comfortable. This enables you to adapt when the situation calls for it. The trick is knowing when and how to adapt, but it’s easy…you just listen. The tools you lean on the most are the ones that are most effective for you. Likewise, when you listen and observe, people will tell you and show you what they are open to. It saves a lot of guesswork on your part.

The effectiveness of your influencing involves three core elements: skills, power and tools. The skills are interpersonal skills, listening and asserting. Listening actively and asserting in a clear, concise, compelling way provide a foundation to being able to influence others:

  • Listening – Understanding the other person by connecting, listening, slowing down, asking good questions, and paraphrasing what they share in content, feeling and meaning

  • Asserting - Being clear, concise, compelling and confident in your delivery and putting it in a frame of reference that they can understand. This is the benefit of listening first, because you can better tailor your message to address their needs, wants and concerns. 

Once you’re comfortable with these skills, consider the “sources of power” you bring to the conversation, which could give you some leverage in the situation. These can include:

  • Expertise
  • Presence
  • Confidence
  • Network
  • Insight
  • Reputation
  • Character
  • Resourcefulness

You should determine which of these sources of power are most valued in your organization and lean on those. Then, assess which “golf club” or influencing tool will be most effective during difficult conversations with various stakeholders. This is where you move from the primal response to human interaction. The menu of tools includes:






Figure 4. Menu of Conversation Tools



Look at the list above and think about which ones you use the most. These are your default influencing tools. Practice the others so you can identify them when you see or hear them, then change to that tool.


Managing difficult information security conversations is a critical soft skill needed to master the 7 Factors of Organizational Engagement. Remember that a difficult conversation is going to start with a primal response from both you and the person with whom you are speaking. You need to get past that “fight, flight or freeze” response and move to a human interaction by influencing effectively.

IANS continues to study all aspects of CISO Impact and we invite you to explore the 7 Factors, the 8 Domains and more at We also invite you to take our CISO Impact DiagnosticsTM to gauge where you and your organization stand against the best industry practices measured in the CISO Impact Diagnostics. 


Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.

Related Research

3/15/2017 | Phone AAE
Revamping the Security Organization

1/27/2017 | Written AAE
Where CISOs Report: A Snapshot

1/6/2017 | Event Takeaway
Keeping CALM: Building the Business Relationships that Drive Infosec Success

11/18/2016 | Written AAE
Security Operations Maturity Chart