As a consultant in the difficult area of “Cyber Dispute Risk Management” (More easily understood as Legal Compliance Consultancy), I often encounter a situation where a Company appears fully in agreement with the need to implement some suggestions made such as need for ITA 2008 compliance but on the ground, no action seems to happen.
I have been encountering a similar experience when I try to convince users that the Online Dispute Resolution mechanism under ODR Global is a great thing for them.
As consultants we are responsible for “Making it happen”, and cannot take “No” for an answer . We therefore keep trying again and again and when we get the reply, ..”Yes….But”, we feel frustrated that what we believe is good and should happen is taking a longer time than it should. In the meantime if something untoward happens which could have been mitigated if the suggestions had been implemented, some consultants feel “Deja Vu” and “I told you so..” . But most genuine consultants feel “Pained and Angry” that their suggestions were ignored.
When an assessment of “Due Diligence” under ITA 2008 compliance is made, the fact that a consultant had suggested some measures for mitigating a risk but was not implemented may actually be treated as negligence. HIPAA directly addresses such issues by increasing a penalty if an identified risk is not addressed.
Information Security Professionals and Corporate managers who deal with legal compliance (as well as other managerial responsibilities) need to be fully aware of this “Yes…But” syndrome and avoid being a victim. This is part of the third dimension of Information Security Risk Management namely the “Behavioural Science” aspect that works along with Technical and Legal dimensions in the Naavi’s “Total Information Assurance” concept.
“Yes…But” is classified as a “Psychological Game” by Eric Berne. It is a frequent response that a person gives when something is suggested to him either voluntarily or on specific request. The subject some times comes to a friend (in the present context, a consultant) and holds out a problem. The friend genuinely comes up with a suggestion which the subject says.. Yes…. but it does not suit my requirement..because…… The friend suggests some thing else..and gets the same excuse. This game goes on until the friend gives up.
Eric Berne identified that there is a method these game players follow as described below.
Method
Agree, then show how you do not agree. Their argument may make perfect sense in many ways, but it does not work as a persuasion with you.
‘Yes, but’ is a classic way of agreeing and not agreeing.
Example
Yes, I know it’s important. But I don’t have time at the moment.
That’s a really good idea. Though when you think about it, it will cause subtle problems.
Yes, we could go out. And no, I don’t want to.
Discussion
Agreeing first mollifies the other person or maybe lulls them into a false sense of success. The refuting of their argument then acts as a shock, such that they may well not be able to fully respond to your words.
‘But’ effectively says that what has just been said is not true, or at least is not completely true. The following words then reveal the real truth.
Why does this happen?. After all the subject had identified a problem and infact approached the friend/consultant to find a solution. Eric Berne identified this as a “Psychological Game” deliberately played by the subject for the feeling of “Self Gratification” that he is in trouble but there is no body who can help him and he is doomed to suffer.
It is difficult for some of us to accept that we are playing a “Yes…But” game because we want to remain in problem and donot want it solved.
Resolving an “Yes..But” situation is more through a self-realization than the external person attempting a therapy. Hence, the consultant needs to have an enormous patience and try to achieve his goal in small steps where the subject sees some benefit quickly and tries to get over his own self doubting attitude.
I invite readers to share their own experience in this regard in their professional life and how they resolved it.
Naavi
More Details of Yes… But Game (See page 49)
Information Security and similar things are implemented “only” when there is either a statuary/compliance requirement OR when there is customer pressure. Even after an incident, most of the time, the incident is considered as one time misfortune, which will not repeat again. And they sleep again.