Disagreement arises in many situations. It is an inevitable part of any work in any organization, or life in general. It is especially apparent when dealing with matters of risk and security since so many parties to decisions can have radically different opinions and perspectives on everything from the assessment, assumptions, characterizations and ultimately the degree of acceptable risk tolerance. Viewing a situation as something to “win” is flawed. Viewing it as a collaboration is the imperative. That might not be easy or always harmonious but every security professional has developed and can further develop a few classic techniques:
Aim for a win-win. Remember, win-win doesn’t mean a compromise for both parties, rather it should be finding a productive middle ground. In other words, find the third side of a conflict. If we are honest with ourselves there are many occasions when our views might simply be wrong and taking the third side may enable a different approach that is satisfactory to all.
Frame the problem differently and define the new problem as something to work together on. The problem you want someone else to solve is not often the problem they want to solve. You can use persuasion or authority to get them to solve what you want but this will be more effort than it needs to be. Rather, work with the other party to define a new problem that is in line with both other problems. If you can do this in a way where you can support them through this process then all the better. For example, let's say you want some area to improve their patching cadence, but they only have so many change windows to accommodate this. The actual shared problem here is their software lifecycle process. If this is improved then not only will they realize an ability to change more frequently and thus support more business goals, but patching can be applied more aggressively because testing will be easier and roll-back more feasible. It's conceptually easy to agree on this new goal and walk away but the real idea here is to work together on that shared problem. In this example, it might be assigning one of your engineers onto this team for a while or shifting some of your budget to help them get to this new end-state.
Other person’s point of view. This is easily said but hard to do. It is important to spend time thinking deeply about the world-view or the priorities and pressures of the person who you need to influence. Even, just spending 1-2 minutes before a meeting, call or video conference to put yourself in their shoes can potentially help the framing of your ask that will resonate with the other person. It might not change what the ask is but it may change how you would think to structure it, stage it or adjust the timing. Imagine you want some team to implement a certain control, and that you're right and what you want doing is totally reasonable and justifiable. Now, you spend a few minutes thinking about what's going in the world of the leader who you need to drive the work into their team. Perhaps they've got a major launch coming up in the next 4 weeks and you know they're having difficulties. Knowing this you now approach the situation with them as, "You're likely to be busy in the coming weeks, product X launch is obviously critical for the company, you must be up to your eyes in this so I've asked my team to be on the lookout for any issues that might be an impediment for you, also that needed control uplift can slot in to your next window immediately after the launch". This is almost too obvious but it's amazing how little it is done in practice. What is interesting about this technique is even if you can't change what you need the mere act of thinking of the other person's viewpoint is enough to create empathy in how you make the ask that they will more likely agree. In the example above, if the need was critical for pre-launch then framing it as, "You must be in a real crunch on delivery now for the launch, and I know how important this is, but without this control uplift you may well have some additional issues so we need to get it done - but I'm going to divert as much of my team to assist your team in doing this with as little impact as possible".
Make some progress, any progress. In any situation someone can always do something, even if it is a small thing. Imagine, say, you've done a review of access in a certain business unit and the sense is that many people have too much privilege. It needs to be reduced - but it's going to be quite complex to do the analysis to determine exactly what the end state needs to be. The area you are working with doesn't have the cycles to do this until 3-4 months from now. You could say, assuming the risk is not critical, "that's fine let's revisit in 3-4 months" [by which time some other competing priority might drive to push it back again] or you could say, "you know what we did some analysis and there are 20% of the privileges for these 100 people that we know they have never used and we can just eliminate those now with little operating risk, and I commit to standing by to reinstate if there's an issue - can we do that now?" The answer to this will invariably be yes. The outcome here is that some of the risk is reduced but the real value is that some action has been taken, because then when that has happened you can ask for the next step, and the next, and it might be you end up getting what you need well ahead of the original schedule.
ABC - Always be Closing. Remember to ask for what you want. This sounds obvious but, again, it is incredible the amount of times people fail to articulate what needs to be done in a clear and crisp way.
Don’t personalize. To quote Seneca, "We suffer more in our imagination than in reality". People pushing back on your requests are rarely an actual personal attack or an affront to your authority. People's reluctance to do things may make you imagine their motivation is personal, but if you personalize then your response is going to be unproductive and will harm the relationship - the very relationship you need to get things done.
Listen to the meaning not the words. When people are pushing back on you they may not frame their response in ways that are logical to you, you may interpret this as unreasonable and then will follow the likely ego-driven breakdown in useful dialog. If you check your ego and listen to the meaning or what is behind what the person is saying, and then question and probe, you can likely find some productive next steps. You might even find out you were wrong and learn something.
Go the balcony. William Ury has this great concept of "go to the balcony" which is to remember, in moments of tension, to take a break, take a step back, look at the bigger picture, reset and then return to a discussion or negotiation. This doesn't always have to be literally taking a break, it could be as simple as realizing you need to take the pressure off, and then spending just a few seconds mentally resetting before continuing a discussion. I like to use some mental imagery of literally going to a balcony. In a tense or otherwise tricky dialog that might be at an impasse I imagine getting up from the negotiating table and walking across the room, opening a door and stepping out onto a balcony and looking at some great vista and taking in the air. Then, calmed, you return to the table re-focused on the shared goals at hand. I can imagine this in a few seconds and I find it helps during tense moments.
Don’t take no as a permanent answer. Many disagreements are not disagreements in concept but in timing - and it might be your timing is wrong. I've seen many organizations and leaders successfully get things done by keeping a "library" of things they need to do and injecting them over and over and eventually they get traction. Some problems are not ready to be solved.
Influence the influencers. Most leaders who you are seeking to agree to some course of action have trusted advisors they turn to in deciding whether to proceed. Knowing who these people are and pre-selling to them is a much under-utilized skill. In some cases it is easy to find that person, they might be a deputy, a project architect, or some other designated role. In some cases though, and this is where organizational shrewdness comes into play, it might be a colleague they once worked with who is now in another part of the organization or even an external consultant. Knowing the influence map of an organization is a super-power.
Bottom line: managing disagreement and conflict can be reframed as improving how you influence people and organizations to get to the right shared-outcome. This requires just as much of an engineered/planned mindset as actual engineering work.