The role of the security practitioner has come a long way in recent years. Cybersecurity isn’t an unknown commodity outside of the security community itself, and about half of organizations report having a CISO who serves on the executive team[i]. Despite the awareness security has gained, and the addition of a C-level title, senior security professionals still notice a distinct difference between reactions to their suggestions for large scale changes and reactions to similarly-titled colleagues making equivalent recommendations.
There are many reasons for this: security is hard to measure and security teams have historically not done a stellar job of communicating ROI; security often talks in technical terms when executives want to discuss risk; and implementing security can be contrarian to speed and agility, which are frequently priority business goals. This is a short-list. Regardless, the result is that CISOs and their teams have not yet achieved authority levels of peers, which makes accomplishing security’s goals—whether they’re directly in line with the business or not—difficult. The challenge, though, isn’t to gain authority. In fact, the desire to gain authority may be part of the problem. The true goal should be to earn influence.
Michael Santarcangelo, CEO of Security Catalyst, a security leadership and communication practice, says he frequently meets CISOs of large organizations who feel stuck. They’ve worked incredibly hard during their careers to make it to the executive level, and now that they’re there, they’re still fighting for the ability to impact the organization’s decisions—even when it comes to rolling out security programs and projects. While it’s a tough place to be, says Santarcangelo, CISOs can make changes and increase the scope of their influence. But only if they’re willing to realize that the name of the game is not power.
“One problem we have in security,” says Santarcangelo, “is that we know we’re the experts in security, but are less good at recognizing that we’re not business experts. The CISO’s job is to educate and recommend ideas, changes, strategies that will keep the company better protected, but the CISO is not the ultimate decision maker. Nor should that be the goal. It’s not even necessary.”
What Santarcangelo means is that a great security program is a business enabler, not the business itself. Because security practitioners are so focused on running a good security program and all of the things that accompany that (data protection, patch management, secure system implementation, etc.), it’s easy to make assumptions. Everyone wants to prevent a data breach, right? It depends. If that’s in support of a larger business goal, like keeping customers happy, avoiding brand damage, or ensuring business continuity, then yes. But “preventing a breach” isn’t the goal for most business leaders; satisfied customers and revenue growth is.
“What problem are you trying to solve?”
When Santarcangelo meets with CISOs, his first question to them is always, “What is the problem you’re trying to solve?” Not surprisingly, an overwhelming percentage of CISOs respond with “preventing a breach” or even, “I don’t know.” “I don’t know,” says Santarcangelo, is often more accurate, because at least it shows that the CISO understands the mission is bigger than security.
To determine what problem you’re honestly trying to solve, Santarcangelo says the key is simple: Go ask. Get out of your office and meet people where they are. Ask what they are working on, what priorities and goals they have, what they feel would help them achieve success. Sometimes the business leaders with whom you will meet aren’t sure either, but having that conversation will help you understand their pacing, timing, habits, and even thought processes.
Ensure, too, says Santarcangelo, that you are not asking questions for the sake of asking questions, but that you are really listening and digesting what the other person is saying. Doing so can be as easy as reframing the answer back to the person and then asking, “Do I have that right?” To make forward progress, it’s essential to get to a mutual understanding, so while this step might seem pedantic, it’s actually critical to good communication.
In his meetings with executives, Santarcangelo sketches out workflows and goals on a whiteboard as his clients explain their processes to him. This allows everyone to see precisely what is happening, determine if what’s intended is occurring, then adjust if the process isn’t working. “It’s amazing,” he says, “how often people think one thing is happening, but when they see it written out, they realize they’re going in the opposite direction.” This is where problems arise when trying to work with business colleagues: If you think you’re saying the same things and aiming towards the same goals but you’re not, tensions rise and someone is going to get blocked. More often than not, the security team loses influence.
Partnering provides value
Security teams need to be in alignment with the business. It’s security’s job to find solutions that allow the business to meet its goals. Sometimes that means security won’t be able to implement a policy or technology that may be beneficial to the business in terms of securing systems, people, or data. The only way to increase the security “win” ratio, however, is to spend time listening to colleagues and educating them.
“Security has to adapt to business,” advises Santarcangelo, “and by becoming more adaptive, you’re becoming a better listener. If you can listen without emotion and use that information to find solutions that help colleagues accomplish their job more easily, you become more helpful and therefore more influential. As you repeat this process, you become the person who helps people solve problems. If you succeed, and you succeed multiple times, you will be valuable. People will start to seek your advice. You’ll start to notice you aren’t disregarded as easily. That’s influence.”
Interested in learning how to improve your leadership skills and become a more effective company influencer? Attend the CISO Leadership Summit at InfoSec World 2018 in Orlando, Florida, on Sunday, March 18th.