Today’s CISOs are more than technologists — we strive to make ourselves resourceful and well-rounded business leaders. To advance cybersecurity initiatives, we must align our efforts with strategic business objectives and collaborate with colleagues who are not experts in IT or security. In fact, Gartner’s research found that top-performing CISOs already regularly meet with three times as many non-IT stakeholders as they do with IT personnel. Gartner believes that by 2024, 60% of CISOs will establish critical partnerships with top executives in sales, finance, and marketing — up from under 20% now.
Building and maintaining these relationships requires situational awareness, business alignment, and a fair bit of persuasion. Learning how to collaborate with partners from across the organization on their terms will allow companies to succeed with their security initiatives. Here’s a roadmap for making that happen:
- Gain situational awareness.
Understanding the state of the security program, projects, gaps, and successes takes thoughtful inquiries to colleagues on the security team and outside it. CISOs need to establish a dialogue with stakeholders and understand not only the current risks and technology-related concerns, but also business priorities, industry dynamics, and other non-technical matters that can affect cybersecurity. Asking the right questions, of the right people, and at the right time can do wonders for advancing security projects and developing trust across departments.
When entering a new situation or interacting with new stakeholders, consider using open-ended questions to understand the person’s state of mind and expertise. For example, asking, “What do you think?” will make it possible to cater the discussion to the other person’s concerns and use the terminology and concepts appropriate for the other party. For such interactions to gain results, it’s important to listen to the other person and make sure they know they’re being heard.
When the time comes to brainstorm for creative solutions to security challenges, it’s often useful to communicate using words that include the other party in the situation. For example, starting the question with “How might we…” often reveals information and approaches that may not have been considered. Also, starting with gentler, less confrontational questions and gradually escalating the sensitivity will help to establish buy-in and facilitate positive collaboration.
- Demonstrate business alignment.
Linking security strategies to business goals helps CISOs drive insightful conversations with non-IT stakeholders about the value the security program brings to the organization.
It’s no surprise that people outside the security team don’t think about security all day long. Instead, they focus on tasks and challenges directly related to their own jobs. To gain the support of such colleagues, understand their individual priorities and the organization’s overall business objectives. Then, determine how the company’s security efforts support these non-security initiatives and frame the discussions accordingly.
Take the time to understand the company’s vision for its future — for the current quarter, year, and longer. Next, understand the associated objectives of the teams with which the security group seeks to collaborate. Review the company’s security initiatives to determine how they support these goals. Such business alignment will remind all of the program’s stakeholders that everyone’s efforts are contributing toward shared objectives that go beyond cybersecurity.
By aligning the company’s security plans with shared business objectives, a CISO can establish himself as a leader who creates value for the organization.
- Practice persuasion.
CISOs aim to convince co-workers to follow recommended actions, gain stakeholder support, or defend budget requests. Start by achieving situational awareness and demonstrating business alignment. In doing so a CISO will then understand the perspectives of others, point to shared interests, and speak on their terms when seeking their support.
Security leaders are often in the position to challenge assumptions made by colleagues about actions we might consider risky. For example, how might we express concern about onboarding a risky vendor in a constructive way? Pose a question in a way that causes the person to see the issue from the perspective of the CISO. Chris Voss, a former FBI negotiator and author, advises for CISOs to ask: “How am I supposed to do that?” In our scenario, the CISO can ask: “How can I support your request while safeguarding our data if the new vendor suffers a security breach?” By influencing the person to think about the security repercussions of the request, CISOs are likely to arrive at a solution that addresses the needs of both parties.
When requesting others to support the security team’s initiatives, anticipate disagreements and rejection. Keep in mind that “no” isn’t always an outright rejection. Instead, view such a response as a starting point for a discussion — ask questions to understand the reasons for “no,” then respond by reframing the proposal using the methods outlined above.
Building relationships with stakeholders outside of the security organization requires speaking about shared objectives and demonstrating alignment. To succeed with this, CISOs must gain situational awareness, understanding the goals of others and roadblocks so we can more effectively collaborate. Asking the right questions and practicing and encouraging empathy helps persuade colleagues to support our security initiatives. These techniques help CISOs build relationships with people throughout the organization, allowing us to establish partnerships essential to our professional success and the success of our security programs.
Lenny Zeltser, chief information security officer, Axonius