Ethical Persuasion: Changing Culture Means Building Relationships

Changing a culture requires changing people; changing how people perceive, think, and feel about information security problems. In effecting cultural change, the CISO must win everyone to the cause of information security. And to do that, as Lincoln reminds us, requires the CISO to be a sincere friend.

If the CISO is to change people, the CISO must engage in what is known as ethical persuasion, the honest attempt to induce people to change their behavior. To persuade ethically — to catch the heart which is the high road to reason — the mode of persuasion needs to be direct and honest, it needs to be respectful of people, and it must be without manipulation.

Recent work in the behavioral sciences has discovered six specific persuasion triggers that the CISO can use to influence the extent to which people will open themselves up to being persuaded.

• Reciprocity: People feel obliged to give to people who have given to them.
• Social Proof: People follow the lead of similar others.
• Authority: People defer to experts who provide shortcuts to decisions requiring specialized information.
• Consistency: People fulfill written, public and voluntary commitments.
• Scarcity: People value what’s scarce.
• Liking: People prefer to say “yes” to people they perceive like them.

It turns out that even more important than people liking us … is us liking them. People like, and are inclined to follow, leaders who they perceive as liking them. If people perceive the CISO likes them, they are more inclined to say yes to the CISO.

To influence people, win friends. An effective CISO will always be on the lookout for opportunities to establish goodwill and trustworthiness, to give praise, and to practice cooperation.