Security teams never have home field advantage.
I have been running a survey on what each letter of the CISO acronym means to others. I started a few months ago with the C in CISO. You can see the results below and I got the results I thought I would, I didn’t expect to not get a single vote on Connecting.
The C in CISO is for CONNECTING; that is what it means to me.
I get it, we can all argue that Collaboration and Communication are also extremely important to all of us; in fact they are critical. They are to me too. While I understand that in order to connect you must be a good communicator I believe that connecting is the important outcome of communication. I believe that in our role as leaders (of any practice) we must be able to influence others and yes, you must also be an excellent communicator in order to influence. However, as John Maxwell puts it in his book Everyone Communicates, Few Connect “connecting increases your influence in every situation” and he defines Connecting as “the ability to Identify with people and Relate to them in such a way that it increases our influence in them”. This means to me that as a leader I must show empathy to others and stand in their shoes to understand what matters to them; what they are going through; what their concerns and constrains are so you can better understand how the security program may impact them; and to communicate the What’s In It For Me (WIIFM). By connecting with others, you are in the right path of building trust with all your stakeholders who will support your program and define its success or failure.
The modern CISO must be able to build a security and risk management program (the program) that is aligned with the overall business strategies. This is achieved by seeking out and connecting with executives and business unit leaders that can provide insight into the past, present and future strategies of the organization. Having these conversations is also an opportunity to show that the security team wants to collaborate and figure out emerging risks together to understand where to focus the security and risk management strategy to deliver business value. This connection, in a visual form, will also be a powerful communication tool in the leaders’ interaction with the executive team and the board that will show them that the security team is a Business Unit, and as such is there to support the organization by delivering business outcomes. Here is a sample of such communication tool.
Security leaders rely on people to deliver value, to deliver the program itself. Thus, once the security and business strategies are linked together (preferably in the form of a visual communication tool), the leadership team must go to work and clearly communicate the team’s role is in the strategy and the benefits to the organization, the team and the individuals (the WIIFM). A team that understands their purpose and how they fit into the high level business strategy will become more engaged with the program and the leadership team. Connecting your people to the program’s purpose will translate into support throughout the life of the program and ultimately, there is no better team than one that is engaged. Give me a junior team that is highly vested and passionate about the mission and vision of the program; over a team of many senior and smart people that are not vested in the benefit of the program. I take the former without hesitation any day! Finally; CISOs lead Teams of Teams and communicating how those supporting your initiatives from other departments fit into the security and business strategies will go a long way and add unexpected supporters for the program.
A great way to score small wins that lead to trust is connecting people to people. When I meet with business unit leaders I always ask them what are their concerns in general, not just related to security and because in my role I talk to a lot of people across the enterprise I sometimes can provide insight into how others have solved similar challenges or at least who could be a good resource in that particular situation. I remember a situation that went where a business unit leader was dealing with a legacy database the team was struggling with strategizing about moving the data to a modern platform. I quickly connected the team to our data analytics and a few months later this director reached out to me to thank me for the connection because the two teams were working together on a solution to solve the issue. This director now also brings me in to conversations that have little or nothing to do with information security.
One thing to remember as a security leader is that, as I often say, “security never has home field advantage”. Let’s face it, the business is not likely to come looking for the security leader\team and ask her to give them more security. This is important to understand because it will likely be challenging to build relationships and gain support for the program and as a leader early on (also heavily dependent on the organizational culture). A security leader’s success depends on her ability to establish Trusted Relationships and to do so, one must be intentional about building long lasting and authentic partnerships throughout the organization by getting to know the key players and catalysts driving the business. Being intentional matters, a lot, because it is on a leader to seek out others and build those relationships, specially for a security leader who, remember, are often the “away team”. A leader must truly understand what’s important to not only these stakeholders’ objectives but also try to relate to them as people; what excites them; what concerns them; how they think; how they view the roles of security in their value stream. By connecting to the individuals and showing them how the program has or will deliver value the leader will build a solid partner, supporter and advocate for the security team which will help the program continue to mature and increase her ability to influence decision making throughout the organization.
Remember, a leader influences decision making in any organization. A security leader who builds trusted relationships will be able to guide other leaders and stakeholders through the risk landscape; will build a highly engaged team who understand how they fit into the organization; and ultimately deliver value by aligning the security strategy to business outcomes even if value is not in the form of a security initiative. Do not wait for others to come seeking you out; be proactive, get out there and connect to others by building relationships across the business while focusing on them to build trust!