The role of the chief information security officer (CISO) has continuously evolved over the past few years. Effective CISOs have transformed into business leaders with a major say (and stake) in business strategy and priorities. CISOs need to be embedded in every department and at every level of the business. They need to be both on the ground and in the boardroom.
In theory, being everywhere, all the time, all at once, seems impossible. But, as a CISO with a track record of effectively managing risk in remote, in-person, and hybrid environments, I know that success is actually quite simple. So simple, in fact, that it’s tied to one key factor: trust.
Here are five essential trust-building actions CISOs must take to properly secure their organization.
1. Champion a risk management culture
CISOs, like most C-level leaders, have an extremely wide range of influence. We interact with people across the organization and at all levels, from the board of directors and executive team, to business unit leaders and operational staff, with incredible frequency. We also often connect with external entities, such as partners and customers. It’s important that CISOs view our close proximity to such a diverse range of individuals as a unique opportunity to influence the wider culture of an organization.
By encouraging your team and your peers to process decisions using a business risk-based approach you will help their chances of impact and success. Building upon that, they can leverage resources on-hand in a balanced way and optimize their contribution to delivering against the larger company vision. With a bit of guidance and conscious investment from yourself, your colleagues will approach their everyday decisions with critical intentionality that they didn’t have before — helping to prevent them from making critical mistakes and missteps.
Leveraging each interaction as an opportunity to educate and champion others, CISOs can build high-trust and high-value relationships across a business. Gradually, these individual investments and trust-building touchpoints will improve the overall security posture of your organization.
2. Communicate with clarity
A good CISO is a subject matter expert in security who understands how security frameworks impact business success and how to implement the processes needed to protect the organization. A great CISO disseminates their expertise, empowering people with a clear understanding of how they can play their part in securing the business against information security threats. But an outstanding CISO? They will bring observability and alignment around security to their colleagues, ensuring everyone is on the same page and in it together.
When you break corporate words like “observability” and “alignment” down, you get a simple and straightforward term: clarity. We all work better when we’re given clarity — clear instructions, reasoning, deadlines, and feedback. With clarity, we can make informed decisions, own our actions, and explain the “why” behind our work. Clarity breeds understanding, predictability, and certainty, thereby ensuring that we are operating with aligned expectations. This reduces the likelihood of confusion and conflict, thereby protecting trust.
Clarity is the cornerstone of trust and a critical investment for an outstanding CISO. Here’s what the approach to greater clarity looks like for security leaders:
- Identify critical processes with colleagues
- Identify their success criteria
- Work together to define key performance metrics that incorporate security
- Align on how these performance metrics play into key risk indicators
- Define clear thresholds for notification and alerting
3. Activate empathy
When it comes to empathy, many leaders get stuck in the theory of it; it’s an oft-lauded leadership skill with direct ties to employee retention and business success. It’s easy to get caught up in talking about empathy’s benefits, and completely forget to act on it. But empathy without action is not a luxury security leaders can afford. Because empathy plays such an enormous role in trust, it’s much more than a theory to security leaders — it’s a critical variable of our success.For the modern CISO, the key to successfully mitigating risk is to completely embed security throughout the enterprise. But before we can embed a security mindset in another business unit, we need to create connections, generate buy-in, and build trust with key stakeholders. We need to activate empathy.
The road to empathy starts with listening. Do you know what your business partner is going through at this exact moment? Maybe they just got reprimanded by a customer. Perhaps their supervisor just came down hard on their last deal size. Maybe they are going through a tough time at home. The point is, you never know what’s going on behind the scenes. That is, of course, unless you ask. It’s important CISOs understand what challenges (personal and professional) your business partner is facing, so we can make an informed decision on how to proceed.
Is this the right time for a conversation to happen? Is there another, more effective forum or approach? Catering conversations to the needs of our colleagues is critical to ensuring shared success.
Next, make an effort to understand the organizational model of the team you’re trying to engage. Is their organization operating at peak efficiency? Is their team set up to support their own success? Before a department can tackle security projects, it needs to be designed to support its own. Ask yourself: “How can I invest in my partner organization’s operational maturity to make them fit to handle security requests?” Help them help you.
CISOs have significant influence when it comes to business demands and decisions. It’s important we use this power for “good” — to leverage this influence to set up our business partners for success before our own. Once we understand a collaborator’s business needs, we can make more informed asks, setting them up for success when they are ready to tackle our challenges.