The I in CISO is for Influence

Last month I started a series where I depict the meaning of the CISO acronym to me starting with the article “The C in CISO is for Connecting”. This was a result of me running surveys on this topic and reflecting not only on the results but also on my approach to leading a cybersecurity program and team. As I reflected on the results of the survey on the I in CISO I realized that I really didn’t capture my approach. First, let’s take a look a that survey:

When I look at this chart I realize that I actually failed at identifying its true meaning, to me, of what the letter I in CISO is. While I believe that all four options presented are important to be a successful CISO I believe that the I in CISO stands for INFLUENCE.

• Influence others by building Trust.
• Influence by Empowering others to make educated risk-based decisions.
• Influence your team; Influence your peers; and Influence those above you making business decisions.
• Ultimately, Influence the culture of the organization.

Building Trust. In my opinion, this is the foundation of relationships and influence. However, earning Trust is also the hardest thing to achieve in any relationship. As I wrote in my last article, John Maxwell defines Connecting as “the ability to Identify with people and Relate to them in such a way that it increases our Influence in them”. Connecting with others is one of the things that has worked for me best because I am intentional about making those meaningful connections and understanding what’s important to the people I work with. There are other ways to earn trust such as delivering result and value; but being empathetic and intentional about connecting with others has been the key to my success as a leader who can both influence others and, can be influenced by others as well.

Empowering Others. Many people believe that leadership is about making decision and I going to kindly disagree with that notion. Sure, it is an important part of it and something that we as leaders do everyday. However, as an awesome CEO once told me the key is to have the right team around you whom bring their experience and expertise to compliment you. The leaders’ role is to keep an eye on the guardrails that you establish with the team and then empower them to make decisions based on the vision and mission that the team is pursuing. You hired them because you had every reason to believe they were experts in their field and would add value to you and the organization. Let Them!

Your influence Circle. CISOs, like most C-level leaders, have an extremely wide influence range. We interact and have the opportunity to influence people from all areas of the organization in our daily interactions. We talk with business unit leaders, vendor management, legal, IT, HR, you name it; we support them all and usually are in constant communication with them either directly or through our team. Let’s not forget that and the fact that we lead a Team of Teams. Don’t think so? how about a look at this short list of some of the members of your “core” stakeholders such as:

• Your team. Ensure that your influence is positive. Let’s not forget that there is also a negative side of influence and there is a fine line to walk, which is can be unintentionally trespassed by the leader. Be mindful because they are watching you and hopefully following you.
• You peers. Per Patrick Lencioni in The Five Disfunction of a Team, this is your core team. Why? Because this is usually the team that is collaborating to set strategies that the CISO must turn into a vision and objectives for middle management and staff to execute. Thus, this is also the team that needs your attention the most; and who you must influence the most. Your ability to influence this particular team is going to be critical to your success.
• Your Customers and Stakeholders. These folks can be your sponsors and champions, go after them and make sure you connect and understand them.
• Your superiors. Failing to influence your leaders will simply translate on lack of trust by your peers and your direct team. How will you move your program forward without this support?

Influencing the Culture of the Organization. In my option, the ultimate goal of the CISO is to influence Cultural and Organizational Change. Leading others to make educated risk-based decisions will come a long way to improve the security posture of the organization. This really comes down to all of the things that we have gone through in the article such as connecting and building trust; empowerment; and influencing your core stakeholders. How do I know that we are influencing others?

• When I see my team making daily progress in many different areas;
• When I go to a meeting with other leaders or teams someone is speaking about risk and security matters and why it is important and my input is a simply a nod;
• When an executive starts asking questions in non-security related conversations like “what are the chances this service provider is hit with ransomware and it impacts us?”;
• When my team is presenting and I can tell that they have a script and are fully prepared to answer questions;
• When my boss asks me what I think about something that that is not security related;
• When our program maturity score increases;
• When the opposite to many of those things happen, perhaps I am not influencing as much as I thought;

A Few Closing Thoughts On Influence.

• As stated above, influence can be negative so you must be mindful at all times to make sure that you are not drifting to “the dark side” and negatively influencing others.
• Influence goes both ways. You should have a clear picture of who those that influence you are. Study them; learn from them; don’t be shy and apply some of the things that they do and keep trying even if you fail. For example, most people that influence me are great story tellers; I am not a great one myself but I keep trying and will continue to do because I am actually getting better at it.
• You will fail many times in building connections and influencing. When that happens, look for alternatives. For example, I often rely on people that are closer to those I want to influence but I can’t for different reasons such as lack of access to that person\group; or a previous failure. In those cases I go to others who already have trust with them and try to influence these folks so they can help me.
• Influence and Persuasion are different. Influence is something that you exercise without even trying most of the time. It is something that you earn and “is there” because people trust you and follow you. Persuasion is more intentional, factual and an action that you take to get support on something for example.

There are many signs that can reveal your ability to influence others. Keep working on your influence skills; you will need them whether you lead a team or not. Keep practicing and failing if necessary; keep connecting, empowering and getting closer to your core team!