Using the “3 C’s of influence” to gauge the effectiveness of your security program

While doing my best to absorb a small portion of the wealth of useful information found in Dr. Kenneth Brown’s Great Courses: Influence Mastering Life’s Most Powerful Skill, I had an ah-ha moment that I wanted to pass along.
Dr. Brown states that exerting influence will always result in one of the three following outcomes; CONFLICT, COMPLIANCE, or COMMITMENT.

CISO’s and other security pros who have spent years in the security trenches are more than familiar with the first two; conflict and compliance.  The bulk of our time it seems is spent squarely in between.

If we have finally exerted enough influence successfully managing past conflict, and adeptly wielding the compliance ax to “be compliant”, we tend to call it a win and move on.

The ah-ha moment for me was the realization that the persistent, nagging feeling of uneasiness I have carried since my early days of security leadership is the “commitment gap”, the gap that exists between compliance and commitment.

Failing to achieve commitment from stakeholders, results in, at best compliance. While certainly better than conflict,  compliance by itself is inadequate and a hollow victory to be sure.

Commitment is a high bar, and unfortunately not always something that can be obtained, but it should always be the goal.

Do you agree?  I’d love to hear about your successes, challenges and thoughts on this or any other information security related topic.

Please note: I reserve the right to delete comments that are offensive, off-topic or that I would not want my mom to see.

Leave a Reply

Your email address will not be published. Required fields are marked *