Season 3 coming summer 2024...
July 24, 2022

S01E07 - Influence or Title

S01E07 - Influence or Title

Oooh. This is a good one. How many times have you heard that you get more done through influence? How important is title in "getting stuff done?" Join Paul and Jason as they debate this very non-binary question that has so many shades of grey it makes Shades of Grey look like MAD magazine. Guess who takes which side? It might surprise you if you know our backgrounds.... oh, and there's a LOT of disclaimers cause we are debating as if there are  only two answers to this. 

Transcript

S01E07 - Influence or Title.mp3

 

Paul [00:00:11] Welcome to F-Sides.

 

Jason [00:00:13] That was a very caffeinated Paul.

 

Paul [00:00:15] And that was Jason.

 

Jason [00:00:18] And this is emphasized.

 

Paul [00:00:20] So this is the Cyber Humanity podcast where we focus on the human side of cybersecurity.

 

Jason [00:00:27] For today's episode, we're going to talk about this age old debate at organizations age old.

 

Paul [00:00:34] All right, age old. So to be.

 

Jason [00:00:36] Familiar with this, I think any of the listeners are going to be this when you're trying to get things done in an organization is a done through influence or title and level meaning, which is more important? Can you have one without the other? That's what we're going to talk about today. å

 

Paul [00:00:50] Yeah, and this one was a real tough one, because one thing that we do is we prepare for these ahead of time. I know, you know, we spend a lot of time trying to think through what we want to talk about. And this was a tough one because we're we're banging our head against the wall, writing this one. It almost felt like we're watching Westworld. Season three are all the seasons of Lost.

 

Jason [00:01:12] Especially, you know, as funny as season three of Lost was like the pinnacle. Yeah, we got to go back anyways. Yeah, this was a tough one, man. It's about as nuanced as. I don't know, is it David Lee Roth or Sammy Hagar for Bannon? Oh.

 

Paul [00:01:22] Now let's not start those kind of wars. That's a tough one.

 

Jason [00:01:25] Sammy.

 

Paul [00:01:27] This is one where we agree. I agree with you. We may lose a listener, too, because of that statement. But, you know, what did we end up with, Jason?

 

Jason [00:01:36] You know, we ended up with the most frustrating quote in all of cybersecurity. And to be honest, in all of business, it depends.

 

Paul [00:01:44] Yes. Sorry, Bob, which is a little double entendre there, if you know what one of our favorite movies is and that we often quote here, office space, and it's where the Bobs are. The consultants and consultants are sometimes notorious for when being asked a direct question to have the answer of it depends.

 

Jason [00:02:06] Yeah, man, every time I hear it depends. It makes me want to throw my Depends undergarments and so on.

 

Paul [00:02:12] So what are we not going to do in this episode?

 

Jason [00:02:16] We are not not well, we're not throwing under undergarments, but we are also not going to go with. It depends. We're going to take a stand on this one.

 

Paul [00:02:25] Yeah, that's right. And I'm going to take a firm stand on on this topic, even though we may both have we believe in the other topic a little bit as well. We have counterpoints for both sides. We're going to take a stand on the topic. And in a way, that's another.

 

Jason [00:02:41] And we're going to see where we end up, even if it's beneath that old Georgia pine.

 

Paul [00:02:44] Know what on earth what? I don't understand that. That's not from office space. What is that?

 

Jason [00:02:50] No, that was a little 19th country music reference for you, and I forgot your penchant for not liking country music. Well, hold on.

 

Paul [00:02:57] Don't. Don't pen me too much on that. I don't like most country music. I like some country music.

 

Jason [00:03:03] Okay, so. So it does depend. It depends.

 

Paul [00:03:05] Only for your.

 

Jason [00:03:06] Love of country music.

 

Paul [00:03:07] Well, it most definitely does not depend. But we can save that personal story for another podcast.

 

Jason [00:03:14] Okay, I see some opportunity there. If I were cyber cybersecurity, we're a country song.

 

Paul [00:03:18] Whoa, whoa, whoa. Just slow your horse down that old town road.

 

Jason [00:03:23] For someone who doesn't appreciate country music, that was a very good reference. Strong work. Strong work.

 

Paul [00:03:29] I researched the right time.

 

Jason [00:03:30] Yeah, I was about to break out my Stetson. Good job. So we know where I'm at. This is a stupid question of the world. Where are you? At ball.

 

Paul [00:03:38] Yeah, so I'm going to talk. Good. So again, the debate is going to be influence our title and level, and I am going to focus on influence and that would be Jason's going to focus on.

 

Jason [00:03:51] I always get the uneasy part of these debates, but yes, I am going to focus on level and title being more important. But first, let's I want to set some ground rules. We are talking about the organization overall, not your individual team as a leader of a team or if you're a manager or even if you're working on a team within that team, subset influence trumps title and level every day of the year. If you're being a good leader and you're doing and you're being a good team, I agree. I want to make that clear. This is across the organization, a large or SMB with your SMB, your enterprise. That's where this debate is going.

 

Paul [00:04:26] On adjacent SMB means.

 

Jason [00:04:30] Server message. BLOCK It's a technology. Wait, no, that's not it. Even I get my acronyms confused. It's a stands for small or medium sized business, which is the large majority of America, is a small to medium sized business, under $1,000,000,000 in revenue. If you if our audience raise their hand, I'm guaranteeing nine out of ten of them work for one of these assemblies. I'm not going to guarantee that, but I'm pretty confident. All right. So I'm taking title level mostly. You know, I'm taking it with a smiley face because I believe it's undervalued and underrated. I think influence gets all the press and it's I focus on it as a leader. I absolutely focus on how am I leading, how am I? My security awareness training influence is absolutely a priority. But if we don't put it not enough behind title and level and it gets downplayed, it's like, Oh, you can do your job with influence. I'm going to argue that I believe that much like compliance, it's another debate for another time. I believe compliance is kind of the same way that title and level is really the true engine of most SMB security programs.

 

Paul [00:05:32] Well, let's make sure we're both, because I think we're both on the same page on this. But just for our audience.

 

Jason [00:05:37] We know we can't be. They're not allowed to be.

 

Paul [00:05:40] Okay, sorry. Sorry. Yes.

 

Jason [00:05:41] So get get off my page.

 

Paul [00:05:43] Where I would say that influence is far more important because influence inspires action. It gets long term support for your program. And while title may get you short term gains, long term you really need influence. And the relationships and the trust between the org, the different teams to really get a program that's sustainable and long term that goes beyond the, you know, 24 month cycle that, you know, I've I think we've all seen the statistics of see shows like oh.

 

Jason [00:06:15] So here we go. Now, here goes independence is important.

 

Paul [00:06:19] And you know, and I know again, I know we got to take a hard stance, but I will I will absolutely support influence being the the long term play.

 

Jason [00:06:29] Great. Yeah. Okay, here we go. Because I disagree. The you know, and this is this is personal to my heart. I have a CTO. I used to work for who I'm great friends with to this day. And he has that stance that, hey, I don't get things done. I mean, he says this with a straight face. This is how much I'm a I'm a believer. This he says, you know, I don't get things done because I'm CTO. I get things done through influence and I call shenanigans like you're saying that you are CTO people do what you say because they see your title and we're going to talk through this. Paul And I'm going to have some I'm going to have some anecdotal ideas and ideas. I mean, I have some I'm going to break out some anecdotes to show that title and level gets you so far and so much further than influence. Well, with security.

 

Paul [00:07:15] And where I would look at influence, I've seen where, you know, you may when you talk to people and you talk about security, you are able to really get people to buy in and to do security when you're not there, when you're able to influence them on the why and what's important and why it's important. So you don't just get the transactional behavior that you would. Sometimes with institutional power, you'll get the long term sustained. Okay. Hey, Paul's not around or the CSO is not around. We know this is the right thing to do. Let's just go ahead and do it. And that's what insurance get you.

 

Jason [00:07:52] Let me challenge you with that, if you don't mind. Four years we had and we still do and we're changing is an insecurity. Even on your bank account, you're seeing this change with four years. We had passwords, how many end users hate passwords and would not want to use a password if they could. And they don't when they don't need to. When we teach and we influence and we say, look, you've got to have a good password, but people still use password. One steals, people still name their password after their dog. If influence were so powerful, we'd have we'd people would like, Oh, I don't need a password policy. I'm going to create a 15 character password, I'm going to create a passphrase all on my own because I've been influenced to do so. But it doesn't work. You got to you have to set a standard in the policy and give that firm, Hey, you have to do this. You've got to set a password that's complex.

 

Paul [00:08:34] Well, but that's not organizational power, that's not title. That's changing their mind either. If you say I'm the key, so you have to do this, that's not going to get them to comply with their password policy anymore. And I would actually say this is kind of a different argument because influence is very important for people to understand why they're doing things, because when somebody understands the why, they're more inclined to sustain that behavior over a long term.

 

Jason [00:08:59] Where and oh, hold on, hold on.

 

Paul [00:09:02] Let me. So but you also have to have controls in place to prevent bad password choices and so forth.

 

Jason [00:09:10] Well, but no, of course, according to the argument of influence, you can influence people to do great things to get this great behavior. Why do you need policies and standards at all? You wouldn't need something to say, Hey, you got to do this. You just say, Hey, we'd really like you to do this because this is the why we're going to you're going to really protect the company. You're going to protect your data.

 

Paul [00:09:27] Okay?

 

Jason [00:09:27] I know I don't need to have something that says. Is that I'm just going to influence you and. Well, it.

 

Paul [00:09:31] Depends on depends on what your standards are, right. So if you're using your standards as your, you know, standards are requirements, but they also help people understand how to do security in in a good way. Right. So, you know, if you're using some standards only as a stick and not as a way to inform people, then, yeah, your argument makes sense. I would say so. Not as somebody who's not in security is not does not know the day to day nuance of what they should do. They don't necessarily know that they should use strong passwords. Right. Like you may be shocked by that, but if you're not in security, you know, you may not know what a strong password means. And that's what the standards are there for to help give them that additional information to do the right thing.

 

Jason [00:10:15] Okay. Let me I'm going to challenge you on this. And this is something that you taught me way back before. I don't know if everybody knows. You know, before I was into security, as always in technology, I met Paul over a love of erasure during an MBA program.

 

Paul [00:10:29] That's a good story, by the way. We should share that one one day.

 

Jason [00:10:32] Who knows? Eighties, eighties. Techno bands, Depeche Mode, Erasure. Apparently, Paul and I both have a penchant for him, so he taught me the idea of what the difference between administrative control or technical control or reactive these control categories isn't. Paul isn't in administrative control, a level title saying the company says you must do this and because you report to the company, you have to do this.

 

Paul [00:10:55] It's a it's a set of expectations. So. Yes, and what you're saying. Yes, but typically. Well, no, no, actually, let me go back. I will agree with you that it does set the tone, the risk tolerance for an organization based off of whatever requirements you have typically. And this is a whole different conversation, but compliance requirements, which are compulsory things, you also sprinkle in things that you want to do because you want to be better. So yes, I would agree with that. But to get people to putting out standards without influence and without people without selling it to people only gets you malicious compliance, right? Like people will just do the bare minimum they have to. And what I'm arguing is that often and I've seen this happen, when you have influence, when you influence people to do the right thing and they understand it, they'll typically want to go beyond what's in your standards, right? Just like. So what I always say is standards are like laws. They don't make you a good citizen if you follow every law, right? It just means you've met the bare minimum requirement to be a citizen of that country, right? To be a good person, you need to go beyond the bare minimum laws and that's what influence gets you. It gets you people going beyond the bare minimum, whereas title often will get you just the bare minimum title alone.

 

Jason [00:12:14] And remember. Audience Remember again, I'm taking the stance on purpose to specifically debate this topic because I believe in a lot of what Paul said. But I'm going to go to I'm going to go down that path. I call I call shenanigans on that. I don't. But so security awareness training, this training that anybody here that's on this that's listening in goes I got to go take the security awareness training. Most people want to shoot their brains out because it's 2 hours of boringness. They wouldn't be doing it if it wasn't mandatory. And statistics have shown the only time security awareness training gets over 90%, meaning over 90% of your people take it is when it's mandatory, when you do voluntary. And I work with a I used to work with a company that had a completely voluntary security awareness training program, and it was great content. And they went with that whole let's get them in board. Let's do this. Let's show why it's important. Let's get fun and engaging, animated and and let's give rewards out and do this whole, like, you know, measure like all the good, fun stuff you want to do to get people to do. Training numbers didn't go over 50%, but as soon as it became mandatory and they were told to do it by the CEO, they're at over 90%.

 

Paul [00:13:19] Okay. So let me put the caveat, since Jason put the caveat in that I agree with what Jason's saying, some of the components, but for the purpose of this podcast.

 

Jason [00:13:28] That we get back in character.

 

Paul [00:13:29] We are going to argue with each other because I don't think either one of us believes you can have one without the other. Right. But we're going to. Well.

 

Jason [00:13:36] I would say I need more, so. Go ahead, Paul. I cut you off.

 

Paul [00:13:39] Please continue. Well.

 

Jason [00:13:41] I'm so much in character.

 

Paul [00:13:42] What I'm saying is so when you're listening to this, know that we both believe that you both you need both. But let's I'm going to take the extreme view and say influence only. So, you know, there's no there's no instance that I'm aware of in human history where you've gotten 100% of anything, even when it's a very strong moral kind of thing. So for instance, like unless you're in North Korea, right, they get 100% results for their for their elections. Right. So but I would say that that's not a good model to follow.

 

Jason [00:14:15] So the elect what elections? North Korea.

 

Paul [00:14:17] They just showed a map the other day. I saw it on the that they had 100% of the vote 100% for.

 

Jason [00:14:24] Right. Because they force you in and they say, okay, check that box that.

 

Paul [00:14:28] Well, that's what I would. Argued that, yes, a 100% title based thing would make sense. Right. But, you know, you will never get 100%. So I don't think anyone's arguing that influences 100% of the solution but influence. So, you know, when I we have annual security awareness training, but we've also supplemented it in organizations I've been at with secondary, right? So you have the annual thing and then you have the every month you can do a different one. And you know, I've I've actually been very pleasantly surprised because there's no tracking, there's no art, there is tracking, but there's no reporting, significant reporting or anything that happens if you don't do it. The non-mandatory stuff that happens every month, we I've seen where you get up to 40 to 50%. To me that's influence. That's you being able to nail.

 

Jason [00:15:22] You nailed it. You know that there's no control, no security requirement, or it's something I'd want to do to be secure that I only want 40 or 50% efficacy.

 

Paul [00:15:29] Okay, but would you take zero 0% better?

 

Jason [00:15:32] Know my argument here and what I'm debating is that title and level is what you should go with because that'll get you way over that 50%. Why even bother with this limit?

 

Paul [00:15:41] Is it going to get you re okay. So it's basically people are so let's go with what you just said, right? Do I want 100% of people doing security awareness training? Forced security awareness training. Okay.

 

Jason [00:15:55] They're going mandatory, not force. We're not North Korea.

 

Paul [00:15:58] Yeah, we handed out by man mandatory hour in force. There you go. Yeah. So if you you sure you may get 100%, but if you use that alone and the enforced practice, how many people do you think are going to retain that knowledge? Right. I mean, if you're going.

 

Jason [00:16:16] To go, I'll take I'll take my chances. The same thing with sexual harassment training at work. They don't say, hey, everybody, here's why it's important to take.

 

Paul [00:16:22] Absolutely.

 

Jason [00:16:23] You have to take this. And they need 100%. No, it's mandatory. Well, they make a point. Absolutely. Well, hold.

 

Paul [00:16:28] On. Hold on now. Hold on. Oh, yes. There is a one time class that you have to do, but organizations make it part of their culture that, hey, we treat people with respect regardless of whatever. Right.

 

Jason [00:16:40] So you're obviously not talking about Uber. You're not talking about, though, there's that blanket.

 

Paul [00:16:45] There are companies, a.

 

Jason [00:16:46] Lot of bad companies.

 

Paul [00:16:48] That don't live it. And I won't say bad companies. Right. I'll say there's a lot of companies that have it that is problematic. Right. Because it's not it may not be part of their true culture. What I'm saying is.

 

Jason [00:16:57] That.

 

Paul [00:16:58] Hold on. Hold on. What I'm saying is and I guess now get past it. But what the thing I'm saying is it can't become part of culture without influence and comprehension and understanding. If you dictate it only through institutional structures, meaning title, you're it's not going to become part of the culture.

 

Jason [00:17:17] Great. Again, let me let me sum up because I do disagree with you and even without the role playing, I disagree with you. Yes. Let's agreement. You need both. Great. But I'll take title and level any day. If I have limited resources as a security practitioner, no matter what I'm doing in my business. And I've only got so much time in my day and I need to get something done. Title and level always take first will get you way more impact. It will get it done faster.

 

Paul [00:17:42] Okay, so and.

 

Jason [00:17:43] So more effectiveness. And then when you're when you've matured and you're like, okay, now I've got extra time on my day, I don't know what. See, so has extra time, but you have this extra time. Then you go down the path of, All right, now I'm going to start throwing in some puppy dogs and some ice cream. And, you know, this this fantasy world that Paul likes to lord, every guy I live in, it's like living into I live in it, too. But that's where you in my opinion, that's when you can start putting it in. But as a practitioner, start level and title will always get you more and come, well, I'll go down it. I have another, another path to a lot of companies like my old CTO would say, Hey, you don't need this. You know what I'm like? It's like Tom Holland saying people like him because, oh, they like me because of who I am. No, they like you because you're famous. Tom Sorry. They are doing what you say because you're CTO. Tim Oh, I just gave up his name. His name's Tim Baxter.

 

Paul [00:18:31] Yes. What is it.

 

Jason [00:18:33] Anyway?

 

Paul [00:18:33] Yeah.

 

Jason [00:18:34] So. But. But a problem. And this was not his company, but a lot of companies too, will use that argument to not promote and to say you don't need the title of vice president to get your job done. Well, hold on to it. You can be a manager. Let me reason. I did. I pivoted.

 

Paul [00:18:50] Yeah, let me respond your first part. So I disagree. I so let's get out of the character a little bit because it's helpful for context, right.

 

Jason [00:18:57] Okay.

 

Paul [00:18:58] To, to start a program when you're first initially in an organization and you're just starting out or rebuilding a program. Absolutely. I would agree with you. The title helps you open the doors just like a resume helps you open the door. Right. It opens the door. It gets you definitely initial gains quickly. Long term, though, you have to have influence because eventually people will start to the your title loses its effectiveness over a longer period. Right in the end unless you're. Talking about your direct reports. Right. So there is a difference, right? The CTO example, you said the fact that the person was seated probably meant they probably had a large organization and people knew that that person was responsible for their career. When you go outside of the organization, the influence is far more important over the long term. So, I mean, I think you can have a sustainable long term program without I can.

 

Jason [00:19:52] Challenge it and I can challenge that is not just unique to cybersecurity. How many C-level executives are D-backs and are jerks and are not great people? And only through power do they influence.

 

Paul [00:20:05] Only through well, they influence.

 

Jason [00:20:07] Title and.

 

Paul [00:20:07] Level they and it.

 

Jason [00:20:08] Gives them that power.

 

Paul [00:20:09] They hold on. So, you know, if they're if you're not a direct report of theirs, then they definitely are influencing they're using influence in a negative way. Right. So what's probably occurring is that, you know, that your boss is going to hear from that their peer and you know, you're going to have to deal with that. So you're actually trying to avoid repercussions from your manager who you probably either respect or who has institutional power over you. Right. So, I mean, I think influence long term. So let's go to your your title and the excuse to not not.

 

Jason [00:20:44] I believe it's a it can be a lot of companies excuse of not to promote and not to provide for frustrated. Yeah I get frustrated when I hear companies you know when I've consulted before with that will say, you know, we're bringing in a manager for a CEO level and it just needs to be managed because you just you can do it through influence. We're very matrixed to that.

 

Paul [00:21:04] Well, I agree with you on that, right? No, absolutely. Like you have to have you have to be at the right level. So what I'm not arguing that influence again, Jason, nor I or you know, so.

 

Jason [00:21:17] I feel like I'm.

 

Paul [00:21:18] Winning training now. You're not entrenched.

 

Jason [00:21:20] There's no winners here.

 

Paul [00:21:21] We don't that we don't recognize that you need both. So, yes, if you're if you're a manager and all the people you need to influence are senior vice presidents, it's a lot longer road to get the influence you need. Right. And you may not get the doors open for a long time. So you do need. But you I think you would agree with me that longer term you need influence to build the relationships, to get the phone call, to get access very quickly. Right. To to be able to get people to do things without you being there, so forth and so forth. So I would agree with you that you have to you have to have a C so at the right level. Right, whatever that level is at your organization.

 

Jason [00:22:00] Sure thing. Yeah, I agree. You know, and influence is definitely important. Cersei Lannister, you know, she got shit done through influence. Oh, wait. No, that was torture.

 

Paul [00:22:09] Yeah.

 

Jason [00:22:10] That's another reference. Another reference. Paul I don't think gets you didn't.

 

Paul [00:22:14] I don't. But I'm assuming it's something like the North Korea reference so you know there's everybody like that.

 

Jason [00:22:20] Yeah.

 

Paul [00:22:20] Every every culture is a little bit different organizational culture. So but you know, again, I just to go back right I mean you've heard two different views and we've tried to take it in a very stern like we taken the persona of somebody who only believes in one. But again, overall, you know, Jason, I've talked about this in the past that we both agree that title gets doors opened and it helps you get things done initially. But you absolutely need to have people believe in the program to, to and through influence and whatnot to really make a significant difference.

 

Jason [00:23:00] Yeah, let me let me so much to my here's my take away for the listeners fight for level and title no matter what your role where you're at. Always always fight for level a title. You will get more done in cybersecurity, especially, I think, in life in general. I mean, who would want someone working on you who doesn't have the title of doctor if I'm going to go in for surgery? Hey, this is Joe. He's just he's really good at what he does. He's. He's really friendly. Talk to him. He's great. He's going to make you love medicine. No, I would like title and level. Please fight for title and level in your role. It's going to get you more. It's going to get to you faster. And especially when you're starting out and even further down the line, always keep title level as your number one priority. Number two priority is absolutely influence.

 

Paul [00:23:43] And I would do it the exact opposite personally, but that's okay. I mean, there's always different approaches. I would actually say work on building, influence your sphere of your sphere of influence and, you know, getting others on board. But again, you do need title you do need title one to make you feel like you're part of the that you have the rights that you're compensated fairly and whatnot. Right. You don't want to be a manager doing, you know, SVP job, but I think the longer term play is influence.

 

Jason [00:24:16] Awesome. So audience, you be the judge, is it influence and then title or title then influence. Let us know your comments. Where can they let us know our comments on our LinkedIn page or F sides dot com. You can leave comments on the episode. We'd love to hear from you. Or you can email either of us. Our contact information is on our LinkedIn.

 

Paul [00:24:33] Thank you.

 

Jason [00:24:35] Thanks, everybody. Oh.

 

Speaker 3 [00:24:37] Is the elephant in the room?