Whether they’re earned or not, there are certain stigmas associated with chief information security officers (CISOs): They work in isolation, with only a vague sense of how various departments contribute to the organization’s greater good. They impose controls without considering business impact. They focus on highly technical metrics with unclear net positive value. They aren’t good at listening. Or empathy.
Be honest. Does this describe you and your team — even just a bit? Or more so? If you concede that it does, that’s a good thing. The first step toward a solution is acknowledging that a problem exists. Improvement requires change, which is sometimes uncomfortable, because change starts with you.
Accountability, then action. For CISOs and their teams, that means transforming into ubiquitous advocates for cybersecurity — and then leading the transformation for everyone in the enterprise into advocates for the same.
CISOs will thrive within this change by focusing on input, empathy, and alignment. This will enable lasting success for the shift by allowing CISOs to fully identify and understand information asymmetries throughout the organization and then remove them to clear the path to optimal communications and awareness.
However, there are several obstacles that hinder these efforts. Here are three and how to overcome their traps.
Assigning Tasks to the Wrong Subject Matter Expert (SME)
CISOs are responsible for an extremely wide scope and frequently deal with high stress — but are consistently biased toward taking action themselves. They lead the organization well, but at times miss opportunities to leverage SMEs’ soft skills to optimize resolution. As leaders, it is necessary that CISOs remain cognizant of the balance between SMEs’ skill sets, shared values between them and the target organization, and the true goal of this collaboration.
The solution requires raising engagement between security and the enterprise across the board, building relationships that ensure the right expert is assigned to the right issue to give the right support.
CISOs must rely on the people around them to truly know what is going on. They must create pathways so that the right information flows freely everywhere and that this knowledge is committed to organizational and institutional memory. By interfacing with external teams, CISOs create contacts that result in the effective ingestion of information and the proper application of personnel and responses to the information.
Failing to Tie Actions to Organizational and Business Goals
If CISOs don’t connect their work to broader goals, it’s pretty much impossible for non-IT managers and employees to appreciate the value of their actions. CISOs know why certain controls and responses to threats are needed. But they can never assume those outside their team do.
To overcome these potential credibility gaps, I’ve proactively communicated with my heads of finance, marketing, sales, and other key departments to learn about their roles. Because I’ve invested that time — to find out what they do every day, along with their strategic goals and challenges — I gain their trust in myself and my team. They are confident we will approach threats, risks, and remediation with an appreciation of business objectives.
Executing Without Making Broad Impact
I push my team members to constantly ask themselves: “Am I implementing a fix that benefits people outside our team? Or am I just trying to make my own life easier?” Obviously, we seek to achieve the former and avoid the latter. Simply stated, we need to think big. Our return on investment (ROI) growth is directly tied to our ability to sow seeds once and reap the fruits of our labor in multiple seasons to come.
“Everyone has a plan,” boxer Mike Tyson is credited with saying, “until they get punched in the mouth.” If we work within security silos — isolated in our knowledge, dogmas, and execution — every security issue is like the first time in the ring, and we consistently take punches that we have little understanding of how to handle.
But if we proactively pursue empathy and alignment as part of our core values, we gain a level of trust that builds pathways throughout the enterprise. Subsequently, we can remove those informational asymmetries, elevate the conversation across the organization, and lead strategically. And we will walk out of the ring with our arms raised — stronger and together.