[BreachExchange] 10 essential negotiation tactics CISOs should know

[Destry Winant]

https://www.csoonline.com/article/3564515/10-essential-negotiation-tactics-cisos-should-know.html#tk.rss_news

CISOs are constantly in negotiations, whether it’s to draw up vendor
contracts, developing strategy with C-suite colleagues or drafting
workplace requirements with newly hired direct reports.

“Pretty much everything I do involves some negotiations. It’s much
wider than just doing contracts,” says Gerald Beuchelt, CISO of tech
company LogMeIn.

Yet Beuchelt and other security leaders and negotiation experts say
that many executives still fall short on skills in this area, often
using arguments instead of diplomacy to try to force through
unnecessary requirements while caving on their critical needs.

They advise CISOs to reframe their approach to negotiating, saying
that CISOs who want to be better negotiators should see it as an
exercise in trade-offs instead of a battle of tug-of-war in which
there’s only one winner.


“It’s about finding deals that are valuable to all sides involved.
It’s trading things that are of lesser importance to you to get
something that’s of more importance to you,” says negotiation expert
Brian Buck, CEO of Scotwork North America, a negotiation consulting
firm.

To do that, Buck and others share the following 10 tactics:

Recognize it’s a negotiation, not a debate

Jenai Marinkovic, who serves as CISO for Tiro Security and other
organizations, finds many in business don’t realize they’re in a
situation that calls for negotiation; instead they think they’re in a
debate.

“A lot of people think they’re arguing,” she says. “And if you’re
doing that, you’ve lost valuable ground, because with an argument,
it’s an exchange of ideas but there’s no action but to persuade others
to see your point of view. When you’re arguing, you’re trying to be
right.”

Magento Commerce Product Recommendations Enhance Success for B2B
Merchant Marshall...

Product recommendations are a well-understood feature of websites, but
they’re nearly always discussed in relation to B2C. Who hasn’t
encountered Amazon’s promotion of what “customers like you”...

To counter the potential for that mentality, Marinkovic strives to
maintain situational awareness and to thus recognize when she’s
actually stepping into a negotiation.

“In a negotiation, you’re trying to get something done, to get the
other party to take certain actions, whether it’s to pay for something
or to support your objective,” she explains. “But if you’re arguing,
you’re not working on that goal.”

Build trust

Gregory J. Touhill, an adjunct faculty member at Carnegie Mellon
University’s Heinz College of Information Systems and Public Policy
and a retired U.S. Air Force brigadier general who served as the first
federal government CISO during the Obama administration, advises other
leaders to be straightforward, honest and transparent in all
negotiations. He says those traits build a trust that can help carry
negotiations forward to the best scenarios for all involved.

“Building a level of trust is crucially important for establishing an
enduring relationship,” he adds, noting that the tactic pays off
particularly well in times of crisis.

Finding the True Path to Maximizing Data Value

Over the past several years, we’ve seen significant advances in data
analytics tools– increasingly aided by artificial intelligence (AI)
and machine learning – to extract value from mountains of...

He says he has seen colleagues have to renegotiate terms and fees when
they hit financial problems – something they could successfully do
because the other side trusts that they’re being forthcoming about the
challenges they’re facing.

Envision what you want

Marinkovic talks about “visioning”: articulating what she wants out of
a negotiation and the objectives she’d like to achieve. That, she
says, gives her a target to shoot for during discussions. “I define
what success looks like for me and all the parties involved,” she
adds, noting that this step can be done quickly when required, as the
need to negotiate can crop up at any time.

Others offer similar advice, saying CISOs should articulate goals and
what they’re willing to trade to get them, weighing values against
risks to make those decisions.

Furthermore, they say good negotiators identify the stakeholders who
have an interest in the outcomes, which of them should be involved in
discussions and what they need from the negotiations to assure
everyone is aligned.

They note, too, that negotiators who don’t know exactly what they want
and what they’re willing to trade to get it will likely be
unsuccessful in developing agreements that work well.

“If you don’t have a good idea of the purpose, the agenda and the
desired outcomes, then you put yourself at a disadvantage and you
might get a result you didn’t anticipate or want,” Touhill adds.

Discern the other side’s needs

Altitude Networks CEO and co-founder Michael Coates says people often
start negotiations believing that they know what’s most valuable to
the other side. But their assumptions are too narrow or just plain
wrong.

“You have to understand the incentives and motivation on the other
side,” says Coates, who previously served as the CISO of Twitter.

For example, security teams often assume that vendors want to
negotiate the highest possible price when in fact some vendors might
be more interested in signing longer contracts even if it means a
lower annual price tag, or getting CISOs to offer testimonials, or
using a customer’s corporate name and logo in promotional materials.

“Most people don’t understand the items of values that potentially can
be exchanged. They just assume the only thing a company cares about is
the dollars in the contact,” Coates says.

To that end, Coates says CISOs should research in advance what the
other side values and then they should straight-out ask during the
negotiations.

Prepare

Effective negotiations require good preparation. As such CISOs should
not only know their objectives but think through what they’re willing
to cede as part of negotiations and how they’re going to approach the
upcoming discussions.

A former diplomat, Touhill says he and his team established agendas,
drew up talking points, deduced the other side’s points and rehearsed
their dialogue in advance of actual negotiations.

“It wasn’t a line-by-line script but we knew the messages we wanted to
convey,” he says. “And we knew where our red lines were, the things we
were willing to give up and the things we knew that were negotiable.”

Put aside assumptions, learn to listen

Good negotiators learn to put aside preconceived notions and
unverified assumptions in order to understand what requests, ideas and
solutions that the other side might be seeking, Beuchelt says. They
also learn to listen so they can determine opportunities for consensus
as negotiations unfold.

“You have to be ready to put your own ego away and be very open and
mindful of new ideas. That’s hard for everyone, because people are set
in their ways and when you’re asked to change, it’s not easy. But you
need to exercise that muscle and be conscious of it,” Beuchelt says.

Such efforts pay off, according to Buck, the negotiation expert. He
cites one scenario where the CISO wanted to implement an email
retention policy limiting the time that emails were held; the
company’s financial department resisted. The CISO delved into the
reasoning behind the finance department’s opposition, learning that
the finance team used emails as a de facto records retention solution.
Once the CISO understood that, she was able to offer a real records
retention solution that met her security requirements, thereby getting
the finance department to agree to the email storage limits that she
sought.

“Because she understood the priorities of the other side, she was able
to negotiate their full support,” Buck says.

Trade against your logic

CISOs, like many other tech professionals, can get stuck in thinking
that others need to think the way they do and that others need to
share the same logic. But Buck warns against believing that.

“CISOs can get trapped in trying to get people to think the way they
do and then they get bogged down,” he says. “A CISO has to move past
that. You don’t have to endlessly debate.”

He advises CISOs to trade against their logic, taking an “if this,
then that” approach instead of trying to change people’s minds.

Imagine, for example, that a business unit leader wants to use an
unvetted platform. Buck says a CISO might want to explain the logic
behind the security risks. That, though, might not change the business
unit leader’s mind on the matter. So instead, the CISO should
negotiate by ensuring both of their interests are adequately
addressed. In that case, the CISO could respond by saying if the
platform is deployed, then its functionality has to be limited to
what’s been proven to be secure.

“You give the party something on terms that are acceptable to you,” Buck says.

Buck acknowledges this approach might not work on every
security-related item, but it will work on most.

“If something is absolutely mission-critical [for security] and it
can’t be done any other way, then it’s [absolute]. But that doesn’t
happen very often. Those absolutes don’t exist as much as we think
they do,” he adds.

Think through different potential scenarios

A skillful negotiator starts with current and projected needs but also
considers a broader range of potential scenarios that could impact
those requirements, says Todd Graham, vice president at Venrock, a
venture capital firm, and former head of corporate strategy for
Cisco’s security and collaboration businesses.

“CISOs need to consider what happens if a vendor is acquired or goes
out of business, so when they’re negotiating, they can [address those
potential scenarios],” he says. “In fact, if you’re a CISO, most of
your day should be spent asking, ‘What if?’ So, once you’ve considered
all the possible outcomes and then the likelihood of those outcomes,
you can negotiate for them.”

For example, Graham says most CISOs negotiate exits as they start new
jobs, typically specifying severance pay and other such benefits, but
they should also consider how certain possible scenarios – such as a
data breach – would impact their roles and whether they want to retain
their jobs in that case so they then can negotiate for those potential
circumstances.

Keep emotions in check

The need to keep emotions in check should go without saying, but
veteran leaders say they still see colleagues let their feelings
overtake rational thinking during negotiations.

Marinkovic, for one, says she has seen others get angry or threatening
as discussions get difficult, which then leads to communication
breakdowns and strained relationships.

She has also seen the opposite: with people feeling overly confident
and enthusiastic about the discussions, which could indicate they’re
not thinking as level-headed as they need to be.

The other side, she warns, may be counting on that to turn the
negotiations to their advantage. She says she has seen negotiators
bring up past workplace issues such as data breaches or personal
problems to play on someone’s emotional responses. To that point, she
recites one case where a security firm’s sales team successfully used
scare tactics during negotiations with the enterprise security leader
to get a contract that delivered superfluous technologies to the
client who later recognized it as a million-dollar mistake.

Similarly, she has seen negotiators research potential connections –
such as a shared interest or a common alma mater – to cultivate a
chumminess that they then exploited.

Not everyone is out to exploit the other side’s emotions during
negotiations, Marinkovic says, but it’s always better to remain calm
and collected as well as focused on the end objectives to ensure
you’re negotiating a good deal for your own team.

“We have to manage our emotions, and if you lose control, it’s then
that you need to realign and ask if [the current discussions] align to
your goals,” she says.

Don’t aim to win

The object of a good negotiation isn’t to best the other side,
according to seasoned negotiators, but to develop a pact that both
sides are willing to implement to the best of their abilities.

“Don’t look at a negotiation through the lens of who won. In a
negotiation you need everyone to leave the table happy,” Marinkovic
says. She learned that lesson from a former boss, an impressive
negotiator who advised her that relationships are one of the most
important commodities that an executive has. “So, when you’re
negotiating, you need to take care of that relationship. You can’t
come at it thinking ‘I won’ or bargaining too hard or not making sure
all parties come away feeling successful.”