By James Moncrieff, Former Covert Ops Handler turned CISO
Manipulation. I’ve been taught to see it as a dirty word. The self-help gurus and bite-sized wisdom on LinkedIn and Instagram will tell you it’s toxic.
And maybe sometimes it is. But in my world - first undercover policing, now cyber security - it’s rarely that simple.
Few people can say they’ve spent part of their career convincing dangerous people to share secrets that could save lives and then used those same skills to protect businesses from cyber threats. James Moncrieff has done both.
In this opening piece of my Culture Change series, I take on a provocative question: is there really such a clear line between manipulation and influence, and should security leaders care? Drawing on stories from covert policing, sales tactics, and corporate security, I explore:
- Why the skills that win over informants aren’t far from the ones needed to win over colleagues.
- The uncomfortable truth that influence often is manipulation and why that’s not always bad.
- Why most security awareness fails to change culture and the one word that explains why.
- How listening, not lecturing, is the real key to lasting security buy-in.
The lie we tell ourselves in security
Let me put you in a situation. You’re a counter-terrorism detective. The only way to stop an imminent attack is to play a role, become someone you’re not, to earn the trust of a dangerous criminal.
Would you do it? And if you did, would that be wrong, or simply necessary?
In covert operations, you quickly learn there’s no one-size-fits-all approach. One contact might respond to someone who’s calm and deferential. Another to someone with quiet menace. Others need intellect. Or humour. Or street-smarts.
The endgame? Gain trust, and keep it long enough to get the truth you need.
When cyber security needs the same playbook
If this sounds familiar, it should. In cyber security, we often need the same skill set. We adapt our style and approach to fit the stakeholder we’re trying to reach, whether it’s the CFO, the Head of Ops, or the engineer in the field.
The techniques look a lot like sales: build rapport, keep the connection alive, and, when the moment’s right, move the other person to take action.
Finding the leverage point
In covert work, “leverage” might be someone avoiding a prison sentence, removing a rival, or protecting their family.
In our world, the leverage point could be avoiding a regulatory fine, hitting uptime SLAs, or protecting the brand’s reputation. The mechanics are the same: identify what matters most to the other person and connect security to it.
That’s not about being dishonest, it’s about being effective.
The line we pretend exists
We like to think we “influence” rather than “manipulate.” Influence is “the capacity to affect the character, development or behaviour of another.”
Manipulation is “influencing another in a clever or unscrupulous way.”
But in security, who decides what’s unscrupulous? When we highlight the risks of ransomware or the personal liability of a breach, are we scaremongering or educating? When we dangle the business growth of an ISO27001 certification, are we selling or protecting?
But really, we manipulate all the time and that’s not a bad thing. It’s how humans change other humans’ behaviour.
Why our approach fails
If manipulation works for undercover operations and sales, why doesn’t it always work for security culture? One word - perpetuation.
In security, who decides what’s unscrupulous? When we highlight the risks of ransomware or the personal liability of a breach, are we scaremongering or educating?
We don’t have that luxury. Security isn’t a one-off transaction. We need behaviours to stick for the long term. Our “deal” is never done.
Their bigger picture, not yours
We often think we understand our colleagues’ bigger picture, but we don’t. We assume “being secure” is their top priority. But have you considered what they might sacrifice to do what you’re asking? Lost productivity? Missed revenue? A blown customer deadline? Maybe even a lost bonus?
If you don’t know, it’s because you haven’t asked.
The problem is, we talk too much
In security, we love being the experts. We prescribe. We present. We explain. We make the rules.
But how often do we stop talking long enough to hear what’s actually driving (or blocking) the behaviour we need?
From telling to asking
If we want genuine culture change, we need to trade some of our “telling” for asking.
We need to understand what matters most to our stakeholders and connect security directly to those priorities.
In this series, we’ll explore how to stop delivering lectures and start having conversations, and how a little well-placed “manipulation” can be the key to everyone’s greater good.
Guest writer spotlight: James Moncrieff; from covert ops to the CISO’s chair
Whether you agree with him or not, James’ perspective will make you rethink how you engage stakeholders, and whether your “influence” is really hitting the mark.
Feel free to drop your comments in the page.
What will it take to tackle AI-driven threats?
Most businesses think they’re ready for a major cyber incident.
Host Henrik Kinstedt, sits down with Jason O’Hare and James Moncrieff to talk about what really happens when systems go dark, panic sets in, and decisions need to be made fast.
More in Cyber Security
In-person networking and hospitality events for cybersecurity professionals and technology providers.
Security, Safety, and Trust for the AI Era.
Delivering Exceptional Experiences with a Differentiated Portfolio.
AppSec for agentic development.
Cyber resilience that keeps your business in business.
Your AI Isn’t Waiting.
AI-Native. Human-Led. United Against Every Threat.
The AI-Native Social Engineering Defense Platform.
Executive Assurance for Organisational Intelligence and Resilience.
The answer to your biggest data challenges.
Adversary trends and defender strategies derived from real-world telemetry.
Share this story
Reading Progress
