Security Economy Episode 10: Get Cyber Security Buy-In with Dr. Mark Goulston

Are you struggling to get your company to invest in your cyber security priorities? When you try to talk about security with your colleagues, do their eyes glaze over? Listen to this episode to find out how to use proven strategies to finally get heard and get buy-in.

Are you struggling to get your company to invest in your cyber security priorities? When you try to talk about security with your colleagues, do their eyes glaze over? Listen to this episode to find out how to use proven strategies to finally get heard and get buy-in.

Dr. Mark Goulston

Katelyn Ilkani

Hey there, if you're fascinated by psychology, and how you can get people to listen to you, then you're going to want to hear this.

I interviewed Dr. Mark Goulston, a renowned psychiatrist and author of many books, including Just Listen.

Dr. Goulston walks us through how you can use simple techniques to get buy-in for cyber security initiatives and ultimately, reduce your business risk.

Mark, thank you for joining me today on Security Economy.

Dr. Mark Goulston

Thank you for having me.

Katelyn Ilkani

I'm really fascinated by this topic around communication, and how to be a better communicator in general.

I think it's really needed in cyber security today because it's very difficult for people in security to communicate their ideas to the line of business and to feel heard.

But before we jump in, can you tell us about yourself and about your book, Just Listen?

Dr. Mark Goulston

I'll be happy to.

I was trained as a clinical psychiatrist, and for many years, I was a suicide specialist, actually for 30 years.

None of my patients killed themselves. I tried to figure out why.

What Just Listen is about, and I'm kind of humbled by the success it's had, it's actually become a top book  in the world. It's in 25 languages, and I speak around the world [about it].

I spoke in Moscow a few months ago with a Nobel Prize winner, Daniel Kahneman, who wrote Thinking Fast and Slow.

What I realized as a suicide specialist  is, and I have seen multiple people attempt suicide, that when there was a barrier between us where I was following a protocol, I learned to look into their eyes, like I'm kind of looking into your eyes.

And what I noticed as I looked into their eyes, is they would be saying to me, "You're checking boxes and I'm running out of time."

So if you look for that, I could see it.

And I thought, "Okay, I can either keep checking boxes to cover myself, or throw away the boxes, and just listen to them and see what's going on."

And when I threw away the boxes and got where they were coming from, they started to cry, because they had felt alone.

Just Listen is a book about how do you cause other people to feel felt? Not just understood, but feel felt?

And I've applied that also into the business world, so I'm going to give cyber security people a taste of what the people who don't listen to you go through.


So, you're a cyber security person; you have great ideas; your company is at risk; and you can't sell it up to anyone. No one will listen to you.

So, if I were to say to you as a cyber security person, "I want to talk to you about feelings, why it's so important to understand feelings, feel them, and communicate about feelings," you would start to look at me and smile like a deer in the headlights.

And the reason you would feel that is because, rightly or wrongly, most of us now function in psychological silos in our head.

If you can think of a grain silo, this is where we're competent. This is where we're confident. This is where we feel in control.

And a lot of people, especially males, especially left brain analytic people, they hate to feel out of control.

So, if I were to say to you as a cyber security person, "I'm going to teach you how to relate to your spouse, your kids, you know, get into their feelings," you would look at me, and you would be nervous, because inside you would be saying, "I'm not competent to that. I'm not confident, I feel out of control."

And, it's going to escalate.

I'm sharing that because when you're a cyber security person speaking to another person in your organization that doesn't get cyber security, that's exactly what you're causing them to feel.

You're causing them to feel their incompetence, their lack of confidence, and not feeling in control. And by the way, especially with the Coronavirus, that silo is shaking in everyone.

Globally, a lot of people are feeling incompetent and losing their confidence about "Where am I going to land in the future? Am I going to have a future? Am I going to be laid off? Do I have control over that?"

So, if you get the analogy and you're in cyber security, you might say, "Okay, I got it. I got it. You know, you made me feel incompetent, no confidence, out of control, we have to talk about feelings, so we're going to throw the feelings away."

But what you really want to do is get where the other person's coming from, and they don't want to feel incompetent.

So, what Just Listen is about is basically, (here's one of the takeaways, but we'll get to some at the end), it's less important what you tell other people than what you enable them to tell you that reveals to them, and you, an urgent need.

Urgent is "we're going to take care of this now."

You know, in less stressful times, I would say what you want them to reveal is what's important to them, critical, and urgent.

I'm a medical doctor, and I call that taking the conversation to the ICU.  Important is a year from now; critical is three to six months; urgent is this week.

When people are overwhelmed, their behavior is often driven by what's urgent; what's in front of them, what are they going to get done?

So, the more that you can reveal that to them, the more you're going to get buy in. Are you tracking with me, Katelyn, is this making any sense?

Katelyn Ilkani

Absolutely, yes.

Dr. Mark Goulston

You might say, "So, how do we create urgency, especially if they want to avoid a topic? They feel incompetent, and they're just hoping it won't happen to them?"

I don't want to get into politics, but I think one of the reasons America got to a late start in the Coronavirus was a sense of minimization or denial, "Well, it won't happen here."

I don't want to get into our leadership, but they were saying, "Oh, that's not going to happen here. Just the flu, just a cold."

Then it turned out that it did happen here. So you might say, "Okay, you got me. So how do we create urgency."

Now, this is going to be difficult for you as a cyber security specialist, but it's a way to get the other person's attention.

So, if you're trying to upsell into your organization the need for cyber security, you want to get close to a decision maker who can make things happen.

One of the ways to get them to listen to you (and you're going to hate this word, but I'm going to give you a way to do it) is to be more vulnerable and real.  

People just lean into that. I mean, people lean into vulnerability, and the reason is because when vulnerability is staring at us, and you see that when you're dealing with a kid who's scared, or a spouse who's scared, you instinctively know, "I better not yell at them, or tell them, grow up."

And so here's the way you might upsell using this.

You're talking to a decision maker, and they're nodding from the neck up, and what you're feeling is they're not going to take action on this.

And here's exactly what you say, because when I coach people, I give them scripts.

Now you can adjust it. And it's something that I call "assertive vulnerability."

It's kind of like where you bury your neck, but in a strong way, and you look at them, and you're talking to them and you say, "I need your help with something."

Pause. "What?"

Even if they're distracted, if you look at me and say, "I need your help with something."


"I keep having a recurring nightmare. And the recurring nightmare is that on my watch, these are some of the security threats that we're vulnerable to. I'm telling you, it's killing my sleep. You know, and I think part of what it is, is I see those and hopefully it won't happen to us, but one of our competitors just took a big hit, and that could have been us. It's on me, and I'm having this nightmare. I need your help with this."

And they're gonna look at you and say, "What do you need my help with? Help me understand how I can take action to avoid some of the risks?"

"How can I make that relevant, immediate, urgent, because I don't know how to do that. And I want my nightmares to go away."

Katelyn Ilkani

Make it very personal.

Dr. Mark Goulston


The point is, it's true for some cyber security people. They are having nightmares, because it's on them to protect the company. And the company is not listening to them.

So we're not just making this up. But you know, something you might want to practice, especially, you're not going to get too many shots to show this assertive vulnerability with a decision maker. But that could help.

Katelyn Ilkani

That's a very interesting tactic. You own your worry and communicate that to someone in authority, so that it becomes a personal discussion and not just a business discussion.

Dr. Mark Goulston


And it's interesting, I had a friend who was a branch manager for a financial company, and he got amazing buy-in from his people.

I learned this from him, because what he would say to them is, "I need your help." And it's all tone.

If it was "I need your help!" that would communicate anxiety.

But he said, "I need your help with something. We're about to be dealing with these accounts and whatnot, and we're just not known in that community. I don't know how we can break through. But I need your help on that."

Katelyn Ilkani

Mark, does this tactic work the same way in writing?

Dr. Mark Goulston


But the point is, you might want to run it by HR or someone because if you were to say, "I need your help with something", that's a big red flag. Because when people say "I need your help," you think, "Oh my god, is this person going off the deep end?"

I think one of the ways you can say it to a decision maker in writing is, less is more.

Remember, the more that you talk about stuff that they're incompetent at, the more they're going to nod like this and and say to themselves, "I don't know what you're talking about, but I don't want to tell you. I don't understand. So, I'm actually feeling kind of stupid right now, and you're talking very technical. The more you talk technical, the more I'm just kind of nodding like this. The more I'm going to nod to get out of the conversation and be polite. I'm not going to do anything."

So, you want to break through that, and here's one thing you can do. [Here is an example related to our experience with coronavirus.] Every morning, schedule 15 minutes to reach out to people you know, on LinkedIn, or people you don't even know, but you're connected with them.

What you say in the subject line is, "Saw that you're in a hot spot. Just checking to see if you're okay. We're fine."

That's the subject line. Because when you when you say, "Just checking to see that you're okay," that's different than saying, "How are you doing?"

Because how are you doing is like one of those empty greetings. "How are you?" "Oh, I'm fine," when you're not.

But when you say, "Saw that you're in a hot spot, just checking to see if you're okay. We're fine."

And you say, "We're fine," because you want to reassure them that you're not going to hit on them with some trauma.

And that's really all you send.  This is a time to reach out and show concern.

And, they might say, "Well, I don't know you," or "Well, we're connected, and you live in New York City. I've never talked to you, but you live in New York City. You probably hear the sirens. You hear the clapping at 7pm. I'm just checking."

And it's as simple as that.

You can see how  people are dealing remotely, and cyber security people could reach out to people and say, "You know, I was just checking to see if you're okay. We're fine."

And then the subject line can be, "I got an acute case of worrying about people in the company, so I just wanted to check." That's all you say.

Katelyn Ilkani

It's actively showing empathy.

Dr. Mark Goulston


And, here's how you build on it.

You get a response, and in all likelihood, you will get a response because you're showing empathy.

You want to be sensitive because I think the first thing is, if you can hit someone with a simple, "I care about your well being, even before I can provide a service for you,"  you'll get a response.

And when you get a response, your second email is to say, "Whew, glad to hear. We're doing okay. Any thoughts on how this is going to affect our company?"

You know, but maybe we should rephrase that because they're gonna say, "Oh, this person's worried about being laid off."

Okay, so here's how I would phrase it.

So, we're brainstorming together. You're giving me your attention.

I would say, "Because I'm in cybersecurity, I could be wrong, but I have a feeling that my position is relatively secure."

Because even if the company isn't necessarily implementing stuff, every company needs their cyber security.

Right? And especially if you're the head of it, they're not going to let go of you. They're just not going to.

They may not be implementing new tools, but you could say, "I've been led to believe that my job is secure because cyber security is increasing. But any thoughts on how we're going to weather this, and is there anything I can do to help with that?"

Katelyn Ilkani

Really, this idea of just continuing this message of empathy and support before you attempt to get  any kind of agenda through.

Dr. Mark Goulston

Right, and if you're a cyber security person, I'm very sensitive to buzzwords that people don't like.

If you're a cyber security person, you can't stand the word empathy.

You understand it;, you can read up on it; but you can't stand it because it's an area that a lot of technical people feel less than competent, less than confident, out of control.

So if someone says, "You need to be empathetic," they're going to look at you like a deer in the headlights.

So, let me break it down because you might say, "Why do I have to show empathy?"

Here's a little piece that you're going to really like because it's neuroscience.

A lot of people find neuroscience fascinating. One of the reasons empathy is important is when you empathize with a person, and they feel not just understood, but felt, there is a surge of something called oxytocin.

Oxytocin is a bonding hormone. It's what enables mothers to feel close to their screaming infants, and it's necessary for the survival of the species.

And why should you care about oxytocin? Because oxytocin directly counterbalances high cortisol.

So, when people are under stress and distress, which is about everybody, people's cortisol goes up.

Cortisol prepares the body to deal with stress; your glucose goes up. All kinds of things [go up] that get you energized.

When cortisol goes up really high, it can trigger something in your brain called the amygdala.

The amygdala is a part of your brain that deals with feelings, and if the amygdala gets overly activated, it can do something called an amygdala hijack.

High cortisol causes an amygdala hijack, which preferentially shunts blood away from our upper thinking analytic brain into our lower survival brain.

So, high cortisol equals amygdala hijack equals blood goes to our survival brain, and people can't think because they're under fight, flight or freeze.

That's why you know, a deer in the headlights is not really thinking, and a fight or flight brain is not really thinking either.

Here is the reason empathy works.

When you do it, and people feel that surge of oxytocin, cortisol goes down. The amygdala settles down. Blood flow goes up into your prefrontal cortex, and you could actually have a conversation.

I hope that actually helps make that word, empathy, less lousy for you.

Katelyn Ilkani

It does help people understand how to take action, not just talk about the buzzword, to your point.

Why is it important, and then how do you do it?

Because at the end of the day, we can talk about it, but if people don't understand how to actually do it, it doesn't matter.

Dr. Mark Goulston

When I spoke in Moscow in October, I introduced my latest thinking on listening.

And I'm not sure if I'll write a book on this, I might.

I told the audience in Moscow, "Part of the reason I'm here is because I have some books that have done pretty well in your country. So you probably read some of them. But I'm going to introduce to you something new. It's my latest disruptive approach to communication."

Here's the disruption. Pause, be curious about what the other person is listening for, and try to let go of your agenda.

Just being curious about what they're listening for will cause you to be immediately present. So here's the difference, and I'll demonstrate it with Katelyn.

If I focus on Katelyn, listening to me, I can deliver a bunch of bullet points.

She'll nod, smile. "Oh, that's good. That one's less than good. Oh, that's okay. I'll write that down. Maybe I'll try that."

And it's a transactional conversation.

If I focus on if you're listening to me, then I'll just deliver a bunch of stuff, and then we'll go on our merry way.

And you'll give me your mind. And you might try some of this stuff.

But if I focus on what she's listening for, then Katelyn will give me everything. So if I tune in to Katelyn, and you might think what's the relevance of this? Well, you need to focus what the decision makers are listening for. I'll tell you what that is.

But for Katelyn, what she's listening for is, "I'm starting this podcast. I'm trying to grow it. I really want to give value to the listeners. And if I give value to them, I want to give them stuff that they can use. I want to give them stuff that's doable by them immediately. I want to give them high concepts that are relevant to them."

So if I'm Katelyn, I'm listening for experts or guests who can give my listeners tips that they can use immediately and get results with.

Katelyn Ilkani

Yes, absolutely.

Dr. Mark Goulston

What she is also listening for is an expert who might have a best selling book, but if they are just awful, then she can't post the podcast. She's going to have to go back and apologize. She wants to hope that she can avoid that. So is any of that true?

Katelyn Ilkani

Yes, all true.

Dr. Mark Goulston

The reason Katelyn is laughing is because I surprised her, because I got where she's coming from.  And see she laughed actually, because there was something kind of enjoyable about that.

My guess is when she laughed, it was kind of like a "Holy cow! How did you know that?"

Katelyn Ilkani

That's right. It's like mind reading.

Dr. Mark Goulston

But the point is, it's so easy. If you're talking to a decision maker, here's what they're listening for from you.

When they see you coming, you might have some relationship repairing that  you have to do,  because when they see you coming, what they're thinking is, "Oh, here comes the cyber security person who's going to try to get my attention in an area that I feel incompetent. I don't have confidence, and I feel out of control. I know we need cyber security, but I hardly understand what they're talking about."

One of my favorite quotes, is from Jack Welch, who  was the CEO of General Electric. GE was actually slow in catching on to the Internet, and a lot of these things was just slow. It was too stuck in jet engines and medical devices. One of his quotes was, "I avoided the internet because I didn't know how to type."

"I avoided the internet because I didn't know how to type."

So, that's what you're dealing with a decision maker. What they're listening for is a way to not feel incompetent.

If we circle back and you've developed a relationship, or you've prepped it with this assertive humility, saying, "When would it be a time to talk to you? It's not about an urgent threat. It's not about an immediate crisis, but I need your help with something."

And, that's disarming. The point is, you got to think like a business person.

There's an article that's still up in CIO Magazine called "How To Avoid Bumping Heads."

I think it's like 15 years old, and I wrote it. I basically said, when you're with a decision maker who thinks like a business person, and you're trying to push technology on them that they don't understand, you need to think like a business person. You need to use the vocabulary.

I'll give you an example.

I said I was a suicide specialist, and in Philly, suicide is really going up. It's going up in tech areas. Because when you're feeling hopeless, helpless, powerless, it just doesn't compute, literally.

So, I wanted to get the attention of the technology community, and one thing that most of the top technology companies get is design thinking. It's a creative approach to problem solving.

Pioneered by IDO, the design company, and also the Stanford design school.

I created a program called design thinking suicide prevention. I use the framework of design thinking, and you can look it up: "design thinking suicide prevention."

I was applying design thinking to suicide prevention because I wanted to get into the way people think.

And if I came off as just a mental health practitioner, they would be polite. They would smile, but I'd be making them feel incompetent, not confident and out of control.

You want to get in to the way a business person thinks.  The idea is, you need to find out what their vocabulary is, because I will tell you something, you also need to correct.

People are very sensitive to feeling stupid. We will sometimes use words that we just use within our department, because we just use them.

We communicate with our colleagues because we use those words. It's amazing how little people know about our specialty when we use a word that we think everybody knows about.

Katelyn Ilkani

It's jargon.

Dr. Mark Goulston

It's jargon.

In fact, the word empathy, it feels like jargon if you're a technologist.

You smile politely because everyone says you should do it. I think the more that you can not only see what that business person, decision maker, is listening for, but the more you can get into their vocabulary.

For instance, business persons are often focused on costs, benefits, and profit loss. And so I might frame things in terms of, and if you use a nightmare approach, she said, "I had a nightmare that wouldn't take the company down, but it could really hurt us, financially."

Katelyn Ilkani

It's this idea of trying to put yourself in the other person's shoes, about what they are caring about, about making it personal.

Really thinking about this idea of, in cyber security, you're really caring about protecting the company. You're caring about the risk, and then translating that in a way that, to your point, doesn't make the other person feel stupid when you're talking about it.

Dr. Mark Goulston

Yeah, so here's something I actually wrote an article, but I won't bother because if you're in cyber security, you just want me to cut to the chase here with all this stuff.

But here's another disarming tactic if you're having a conversation with a decision maker. The more you disarm people, what does that mean?

They lower their guard. When they lower their guard, it means they're more open.

What you can say to the person is, "Ok, as your cyber security person, I'm committing myself to a program of just professional development. You know, we're all remote. And we're all told, increase your skills, increase your technical skills, increase your non-technical skills. So I'm committing myself to a program of professional development, not just technical development. And can I ask you a question?"

Hopefully the decision maker will say, "Yes."

And if you're on a Zoom call, you look into their eyes and say, "At my absolute worst, how frustrating can I be as a communicator when I start talking jargon?"

They're gonna go, "What?"

And you say, "Look, at my absolute worst, how frustrating, or even exasperating, can I be when I start talking with too much jargon? Tell it to me the way it is. Because the last thing I want to be is frustrating to anyone."

And so you're inviting them to then get something off their chest, which is, they might say, "That's pretty courageous what you just did" or "Well, to be honest, when we get into conversations, probably within a minute, you're talking about things that I don't understand. And a lot of people outside your department don't understand. I think if the more you could talk in a way that I could understand, I think the conversations would go better."

And then if you're the cyber security person, you might say, "Can you give me an example of a conversation we had recently."

And again, when you enable people to get stuff off their chest, get their frustrations off their chest, what's going to happen is they're going to admire you for the courage you just showed.

They're going to be grateful to you because they were able to get something off their chest, and also that they're going to respect you.

What you're going to say, you're not going to get defensive, but you're going to say, "Thank you, I didn't know that was jargon. What would have been a better way to say it to you?" Or, "I'm going to work on it," because the decision maker may not know what to say.

"Might I ask you the next time we have a conversation, am I getting better? Am I getting better in the jargon department?"

And I will tell you, that's why I call it assertive humility, because you're not weak. You're just being open. And I will tell you, it's the kind of thing where people's admiration and respect for you is going to go way up.

Katelyn Ilkani

This idea of assertive humility isshowing the empathy, asking how people are, asking how you can help them, and really trying to put yourself in their shoes. Our main tactic is to really be a better communicator in general, even if you're not in cyber security.

Dr. Mark Goulston

Well, you can use this anywhere. You can use this at home.

What I would say to you, and this may take a while, and it actually might really work out well if you do it with a spouse or kids that you're connecting with emotionally. When you put yourself in someone else's shoes and you show empathy, care about it.

If you're just doing it as a tactic to be able to push cyber security, it's going to come off as disingenuous.

Here's one of the ways that you can care about it, in fact, if you're a cyber security person. If you have trouble connecting with people in your family, I would ask that question to my spouse or my kids.

You might say, "At my worst, how frustrated can I make you feel about the way I just communicate? Or the way I listen?"

And then you ask them the same thing, “Give me an example.”

You're inviting them to get something off their chest, and then they give you an example and you even ask them, "What would have been a better way to have that conversation? Because I have no intention to frustrate you because you're my family."

See what happens is, when you do these and you start to get immediate results, hopefully, something will go off in you and you'll say, "I've never had that much impact on people around me. Trying to show them my expertise, and show them what I know, has never worked as well as what I just did."

Katelyn Ilkani

Dr. Goulston, I've learned a lot from you today. It's been wonderful having you on the show and hearing about ways that all of us can be better communicators in our home lives and in our jobs.

Dr. Mark Goulston

Well, it's been my pleasure, Katelyn.

I'm more towards the end of my career, so I love finding people like you, who really are good people and deserve to be successful, deserve to have a successful future.

I hope you'll keep me updated on how you progress, because I think good things are gonna happen for you.

Katelyn Ilkani

Thank you so much. Thank you for your kind words, and for your willingness to be on the show and share all of your great knowledge.

It's been really fascinating to learn from you.

Dr. Mark Goulston

No, thank you. I wish my kids would listen to me, but that's why I take it out on you.

Katelyn Ilkani

Don't we all wish our kids would listen to us?

Dr. Mark Goulston

Absolutely, absolutely.

Katelyn Ilkani

And that's a wrap. Thank you for joining us for this episode of Security Economy. Check out our episode lineup at  and don't forget to subscribe. See you next time.


🎉 You've successfully subscribed to The Battleship Blog!