If you are going to control a buffalo (yes, I know it is likely a bison, but let’s go with his sound reasoning and not quibble), there are two things you need to know:
1. You can make a buffalo go anywhere as long as it wants to go there, and
2. You can keep a buffalo out of anywhere as long as it doesn’t want to go there.
He was describing one of his key insights as a consultant: that you won’t succeed if you think you can simply put a metaphorical bridle on a client and make them do what you think is best for their organization. But that seems to be what we continue to do as security professionals.
For decades, now, the security industry has been awash in lectures, classes, seminars, keynotes, articles, columns, and sessions on how you, too, can talk to executives about security and get better results. There is even a cottage industry centered on social media offering you keen insights into this topic for a fee. I recently saw one such ‘expert’ post a statistic that only one-third of security professionals are proficient at communicating risk to senior executives and c-suite denizens. I am not sure what basis the author used for that statistic, but it did bolster the pitch for his services.
I was recently reminded of a parody of one of those inspirational office posters that depicted lofty mountains or soaring eagles with a pithy inspirational adage beneath. The mocking one depicted two well-dressed businesspeople shaking hands. Underneath, it said, “Consulting: if you’re not part of the solution, there’s good money to be made in prolonging the problem.”
One of my colleagues recently asked why we as an industry have yet to solve some of these key issues. He lamented the continuing need to educate the security workforce as well as executives on the management of risk. Why do we continue to wrestle with major breaches and criminal software? I certainly don’t have all the answers, but I did tell him we, as an industry, have failed to develop accurate risk metrics and remediation schemes to help non-security types make intelligent, informed decisions.
Instead of these fact-based analyses and remediation discussions, we often seek to implement fear-based scare tactics and emotional blackmail techniques. As much as we like to consider ourselves modern, advanced people, we have seen these fear tactics deployed widely during the pandemic of late memory. The media engages in it for engagement in order to peddle their product. People use them to try to influence others’ behaviors.
“The Delta variant is deadly!”
“You’re going to kill grandma, you selfish lout!”
In these cases, the Buffalo Bridle is one aggressively slapped on others we are trying to influence or to attempt to control their behaviors. The reason for its ubiquity lies in its time-honed efficacy. It still works – and works quite well.
The entire security profession needs to make a better attempt at leading our respective buffalos through reason, analysis, and data. You don’t need a master class in how to talk to executives. You need a fact-based risk management approach that accurately conveys the situation and cost-effective options for remediation. The buffalo may still choose its own path, but always save your work and stay prepared to guide the beast once more.
