Culture change

By James Moncrieff, Former Undercover Officer turned CISO

Manipulation. We’ve been taught to see it as a dirty word. The self-help gurus and bite-sized wisdom on LinkedIn and Instagram will tell you it’s toxic.

And maybe sometimes it is.

But in my world - first undercover policing, now cyber security - it’s rarely that simple.

Few people can say they’ve spent part of their career convincing dangerous people to share secrets that could save lives and then used those same skills to protect businesses from cyber threats. James Moncrieff has done both.

In this opening piece of his Culture Change series, James takes on a provocative question: is there really such a clear line between manipulation and influence, and should security leaders care? Drawing on stories from covert policing, sales tactics, and corporate security, he explores:

• Why the skills that win over informants aren’t far from the ones needed to win over colleagues.
• The uncomfortable truth that influence often is manipulation and why that’s not always bad.
• Why most security awareness fails to change culture and the one word that explains why.
• How listening, not lecturing, is the real key to lasting security buy-in.

The lie we tell ourselves in security

Let me put you in a situation. You’re a counter-terrorism detective. The only way to stop an imminent attack is to play a role, become someone you’re not, to earn the trust of a dangerous criminal.

Would you do it? And if you did, would that be wrong, or simply necessary?

In covert operations, you quickly learn there’s no one-size-fits-all approach. One contact might respond to someone who’s calm and deferential. Another to someone with quiet menace. Others need intellect. Or humour. Or street-smarts.

The endgame? Gain trust, and keep it long enough to get the truth you need.

When cyber security needs the same playbook

If this sounds familiar, it should. In cyber security, we often need the same skill set. We adapt our style and approach to fit the stakeholder we’re trying to reach, whether it’s the CFO, the Head of Ops, or the engineer in the field.

The techniques look a lot like sales: build rapport, keep the connection alive, and, when the moment’s right, move the other person to take action.

Finding the leverage point

In covert work, “leverage” might be someone avoiding a prison sentence, removing a rival, or protecting their family.

In our world, the leverage point could be avoiding a regulatory fine, hitting uptime SLAs, or protecting the brand’s reputation. The mechanics are the same: identify what matters most to the other person and connect security to it.

That’s not about being dishonest, it’s about being effective.

The line we pretend exists

We like to think we “influence” rather than “manipulate.” Influence is “the capacity to affect the character, development or behaviour of another.”

Manipulation is “influencing another in a clever or unscrupulous way.”

But in security, who decides what’s unscrupulous? When we highlight the risks of ransomware or the personal liability of a breach, are we scaremongering or educating? When we dangle the business growth of an ISO27001 certification, are we selling or protecting?

But really, we manipulate all the time and that’s not a bad thing. It’s how humans change other humans’ behaviour.

Why our approach fails

If manipulation works for undercover operations and sales, why doesn’t it always work for security culture? One word - perpetuation.

A handler only needs an informant’s cooperation until the job is done. A salesperson only needs their customer’s attention until the ink dries and the commission clears.

We don’t have that luxury. Security isn’t a one-off transaction. We need behaviours to stick for the long term. Our “deal” is never done.

Their bigger picture, not yours

We often think we understand our colleagues’ bigger picture, but we don’t. We assume “being secure” is their top priority. But have you considered what they might sacrifice to do what you’re asking? Lost productivity? Missed revenue? A blown customer deadline? Maybe even a lost bonus?

If you don’t know, it’s because you haven’t asked.

The problem is, we talk too much

In security, we love being the experts. We prescribe. We present. We explain. We make the rules.

But how often do we stop talking long enough to hear what’s actually driving (or blocking) the behaviour we need?

From telling to asking

If we want genuine culture change, we need to trade some of our “telling” for asking.

We need to understand what matters most to our stakeholders and connect security directly to those priorities.

In this series, we’ll explore how to stop delivering lectures and start having conversations, and how a little well-placed “manipulation” can be the key to everyone’s greater good.

Guest writer spotlight: James Moncrieff; from undercover ops to the CISO’s chair

Whether you agree with him or not, James’ perspective will make you rethink how you engage stakeholders, and whether your “influence” is really hitting the mark. Feel free to drop your comments in the page.

Follow on LinkedIn