How Do We Convince Our Bosses?

Dec. 13, 2019

This will be my last column for 2019. It is at this point in the year many of my colleagues will take to their keyboards to crank out information security predictions for 2020.  I am not sure when this trend started, but I have been studiously avoiding it for as long as it has been an end-of-year feature. I will continue to not speculate this year during projection season, but instead, will take on one of the workforce development issues that has been around as long as our profession: the staffing conundrum.

This particular instance was featured on a recent visit I made to Japan at the invitation of national officials to provide insights on cybersecurity workforce development trends.  I had a meticulously researched and organized presentation with facts, figures, and tabulated results.  I was really proud of the work and was eager to share it.

I stood before one audience of government leaders and as I walked them through the research, I had to painstakingly ensure I was being understood through a translator.  It went swimmingly until I got the first question:

Japanese official: “How can I get my leadership to assign more cybersecurity personnel?”

Me: “Are you asking how you can get more fulltime cybersecurity personnel on your staff”

J: “Yes.

M: “Have you performed an organizational risk assessment?”

J: “No.”

M: “Have you created a staffing plan outlining the needed positions and related skills?”

J: “No.”

M: “How many people on your staff currently perform cybersecurity functions, either as a full-time position or partial?”

J: “We aren’t sure.”

After this exchange, I was at a loss of how to respond. For better or worse, I reached into my experience bag and dug out my Pentagon processes for a suggestion.

M: “Perhaps if you began by capturing your current positions in writing and identifying the skills gaps, you could then propose a staffing plan that includes the extra personnel you deem necessary to accomplish your mission with justification derived from your risk assessments.”

I smiled thinking I had nailed the answer.  Unfortunately, my response turned out for the worse. After listening carefully to my translated response, my interrogator wrinkled his brow and replied simply, “That way won’t work here.”

I wanted to ask, “Why not”? but felt that would be baiting this executive, so I mumbled something unintelligible and dealt with other questions. I felt awful. I was confident I was on the right track with my answer, and yet I was so totally shut down with five simple words. A culture gap had opened up that I wasn’t able to bridge. 

I still reflect on how I could have better dealt with his question. What would have helped him – especially given we come from two very different cultures?  Even in retrospect, I find it odd that I wasn’t able to uncover some wedge in his budgeting and funding process that would allow him to submit his request. What would be their process to request additional personnel?

In hindsight, I probably should have offered a question. Who specifically in his agency was always able to get approval for personnel and other resources?  If you can identify that person, then do what they do. I wouldn’t have been surprised this successful person had a staffing plan and used identified skills gaps to ensure their requests were thoughtfully documented and considered. If you want resources for cybersecurity, whether it be people, process, or technology, you need to be able to effectively document and defend the request. Where I come from, the first person to the table with it in writing would be successful. Verbal requests are easily ignored or forgotten.  However, I am told that it may not work everywhere. Your mileage may vary.

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].