Negotiating With Internal Security Teams

One of the things I find myself doing often is helping non-security leaders and teams negotiate with security teams. They are often frustrated with the security team’s demands and sometimes lack of connection and understanding of those demands and the impact on their own work and timelines.

This can be external or internal security teams. I’ve spoken previously on working with external security teams (see previous post below), but today let’s talk about internal security teams.

Here are some common struggles that have come up over the years: (colorful language removed for the sensitive!)

• “The security team has no clue”

• “The security team doesn’t have a sense of risk or threat modeling, and is just applying blanket policies”

• “The security team is not technical enough”

• “We don’t have any bandwidth for what they’re asking to do.”

• “They’re not following our processes or guides, or we’re afraid they will break production.”

• “Their strict policies are slowing us down.”

I hear you.

So what are you to do?

Well, this really comes down to people, politics, and negotiation.

The famous FBI negotiator Chris Voss mentioned that you need to use Tactical Empathy. You’re trying to get the other side to think about and feel your side of the picture.

According to Seth Godin, Empathy is not that you like the other person. 

“Empathy means that the outcome is important enough to you that you are willing to exercise effort to get that outcome.”

So from the security teams’ perspective, they are under the gun to secure systems, processes, as well as customer and company data.

Often though, they are under-resourced, to get the job done themselves. This can be any of the following:

• Lack of technical knowledge or experience

• Lack of people

• Lack of tools

• Lack of understanding of your processes

To be honest, the responsibility imho is on them to meet you halfway. However, we don’t live in a world of ideal conditions.

Some tactics to try to with internal security teams

So what you need to do is help them understand your world. Help them understand how your team works, the technical or logistical challenges with their asks, and even pressure them to come up with (modern) solutions that work with your infrastructure, processes, and environment. 

Help them understand that you cannot take the risk of downtime, or messing up the perfect engine you’ve built.

Offer them solutions and possible intermediary solutions and steps to their problems.

Try learning their language which is usually a measurement of risk and impact.

Maybe you can enable them to fix the problems themselves? If they have technical people on their team that can “do the thing”, then train them on how your team pushes changes.

There isn’t a magic bullet, but with the right amount of empathy and work from BOTH sides, I’m optimistic that a solution or compromise can be made.