Feeds:
Posts
Comments

Archive for the ‘Social Engineering’ Category

As information security professionals, a common refrain we hear is how difficult, but essential it is to communicate the whys, hows, and whats of security to management, other business units, partners, vendors, customers, etc.,  Whether its meaningful security metrics or why compliance is just the beginning of the whole security process, better communication can yield better results.

Recently, I’ve had the pleasurable opportunity to learn more effective ways of communicating professionally.  I attended a series of seminars and workshops sponsored by Paul Anderson from ProLango Consulting.  Paul specializes in career development and training, with an emphasis on using LinkedIn & Twitter to find opportunities, résumé optimization and advanced interviewing techniques.

I learned about how people communicate via words (7%), tonality (38%) and physiology (55%) and the essential elements in building rapport with hiring managers, co-workers, spouses, etc.,  Generally speaking, people are primarily visual, auditory or kinesthetic when they talk – everyone is all three but we all have a dominant type.

Visual people look up when speaking, speak faster and use phrases like “I see, what you mean”.  Auditory people look from side-to-side, speak slower and say things like “That sounds good to me”.  Kinesthetic people look down and may make physical contact with you as they speak.

Paul’s experience as a hiring manger at Microsoft and Expedia and his consulting work reveal that on average, recruiters take 7 seconds to review a résumé and hiring managers take 45 seconds to decide whether or not to hire.

His teachings focus on being able to build rapport effectively by matching and mirroring body language and tone of voice, then asking key questions designed to illustrate expertise and elicit the ‘pain points’ of the other party, in an attempt to find their need(s) so you can link them to your experience/product/service.  Finally, techniques to overcome objections while closing are taught.

Résumé optimization is about identifying the corporate values and desired employee traits mentioned in a job description, then fine-tuning the top-half of the 1st page so it speaks concisely in two to three sentences of how you’ll solve their needs and problems, not an ‘elevator pitch‘ of what you’ve done before, specifically.  A bullet list of core competencies relevant to the position’s requirements follows before the experience, education, and professional associations sections.

All of this was refreshing and enlightening; much of it grounded in basic common sense and how good salespeople work.  The concept behind building rapport is to become very quickly similar to the person you’re conversing with so they think: ‘I like me, they’re like me, so I like them’.

It isn’t about simple mimicry, it’s about listening closely, asking good questions, and filling their need with your expertise and experience.

So, give this a try when you’re next trying to sell security, interview for a job, or persuade someone.  Become like them in body language and vocal tone to build rapport ~ you may be pleasantly surprised by the results.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

<!–[if !mso]> <! st1\:*{behavior:url(#ieooui) } –> Hawai’i
Advertisements

Read Full Post »

Some very interesting research came to my attention the other day, courtesy of the ISC2.org CISSPforum on Yahoo Groups, pointing to an article in Scientific American that discussed why flattery is effective.

The research, by Elaine Chan and Jaideep Sengupta at the Hong Kong University of Science and Technology and reported first in the Journal of Marketing Research, showed that while most people can spot obvious flattery and attempts to influence them, on an innate subconscious level it actually works!

The study showed that while participants explicit attitudes rejected marketing come-on’s, their implicit attitudes were more positive and could be used to predict future behavior.  This susceptibility to flattery may stem from the basic human need to feel good about oneself, referred to as illusory superiority or the above-average effect.

In testing whether or not the motive to self-enhance was related to insincere flattery, the researchers showed that, in the words of Scientific American, “those of us who could use a little pick-me up to begin with are particularly vulnerable to the message behind a smooth sales pitch”.

So, how does this relate to information security and why is it important?  This all goes back to social engineering and the ability to market towards or convince other people to do what you want them to.  Knowledge of these behavioral responses can be applied to social engineering as part of penetration testing and taught as part of security awareness training.  On the converse, look for this to be used in phishing attempts.

And what about security product marketing from vendors?  We all know about FUD, but should the F stand for flattery instead?  ‘Yes, this new Intrusion Detection/Prevention System does make me feel sexy!’ Probably not, but more likely about being told how much more secure you’ll be, which translates internally to how good of a security person you think you are.

The takeaway ~ keep your BS filters on high and understand that at some basic level, like Fox Mulder, you want to believe.  Doing so may open you to accepting more risk…

Food for thought.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »