The S in CISO is for Servant Leadership

I started a series where I depict the meaning of the CISO acronym to me starting with the article “The C in CISO is for Connecting” followed by “The I in CISO is for Influence”. It is time to reflect on the S in CISO which to me, it stands for Service, for Servant Leadership.

I was recently asked what I believed were the main contributions to the organizations that have worked with during my career and when I looked back it the answer was undoubtedly turning around ungagged tech and security teams to service teams that are closely aligned with the mission of the organization. This, as I reflected on this question it seems to be one of the themes through my career perhaps because being of service is one of my core values.

While our mission as security leaders is primarily to provide assurance to stakeholders that we are properly managing risk and protecting assets, it is important to understand that this mission cannot be carried out without understanding what the expectations, challenges and opportunities are from the stakeholders point of view so that we can build strategies to address those, in essence being empathetic, a core principle of Servant Leadership. When you look at the most prominent servant leaders in history such as Martin Luther King Jr., or Mother Teresa you can see that they were not in it only for what they believe in, but also for a greater good, and their accomplishments were the result of being of service.

But why? Why shifting to being a service organization first? By focusing on providing service to the organization you move security form be the “nay-sayers” to being a trusted partner who business units feel comfortable with bringing challenges up because they know that the team will work with them to find risk-based solutions that deliver value to customers while securing assets properly, which builds a community and partnership, another core principle of servant leadership.

Who are those stakeholder that security leaders and professionals serve? Let’s take a look.

• Your peers and leaders. As described by Patrick Lencioni in his book “The Five Disfunctions of a Team” these group of people are the ones setting the larger strategies at enterprise and divisional levels. It is important to understand these strategies and collaborate with the leadership team so the security program is aligned with the larges strategies.
• The security team. Of course, our team is just as important as your core team and you serve your team by empowering them and providing the support that they need. Once you give the team a mission and vision of a deliverable the role of the CISO is to get out of the way and enable them to deliver by helping them build new relationships; build a platform to expose them; removing blockers; and ultimately ensuring that they develop and grow as professionals and people; another core principle of servant leadership.
• Business Line Leadership. As I mentioned in previous articles of this series making connections beyond IT and security is critical for the success of the program. Negotiating security deliverables is becoming the norm and working together with the folks across the enterprise to reduce risk is a great way to serve the organization. In addition, you also include those business units in conceptualizing and develop risk mitigation plans and controls that they can feel confident in.

Here are some suggestions to serve stakeholders on the way to transforming the security team into a service organization (some may or may not apply to your situation).

1. Run a SWOT exercise on the program to identify areas of Strengths, Weaknesses, Opportunities and Threats to it so strategies are built to address those. It is important to involve your team and when appropriate others in this processes. Communicate your findings to stakeholders.
2. Seek out business unit leaders and understand their expectations, challenges and opportunities. Once an strategy is formalized to address those, come back to them and communicate the plan.
3. Ask to attend business unit leadership meetings to provide updates on the program or specific matters that impact them; or simply, to be a fly on the wall and learn more about business processes. This will rise your and your team’s visibility with them and remind them that you are there when needed. In addition, you will also rise your awareness about current and future organizational strategies. Do this as often as it is appropriate for your culture.
4. Coach the team such that they understand that negotiations will be the new norm. Instead of saying “no, we can’t do that” the mindset of the team is more like “let’s take a look at it together and figure out what the risk is and how we can deliver the solution securely.”
5. Find opportunities to deliver security incrementally. Identify the minimum security requirements or minimum viable product (MVP) for supporting go-live and each product increment being delivered.
6. Build a succession plan. This is important for the organization to ensure continuity and also for many on your team who may see a career path is available. Do this not only for the top leadership position but also for the other leadership positions in the team.

The results of this approach? Well in one organization I observed the perception towards the security team shifting from “security is going at 45 mph while the rest of the business is going at 65 mph” to being engaged in supporting more than 150 initiatives across the organization in a period of three years which is a way to measure maturity of the program. Here at Citizens I also see many business leaders reaching out to me or others in my team to consult on risk related matters or even engage in conversations with external stakeholders and they now know us for being “a collaborative team who will help us figure out how to solve business problems while addressing risk” as an executive put it.

By becoming a servant leader, and a servant team security will be able to manage risk in business terms and get the support needed from leadership. Try it, it is worthy!