Today’s CISOs are more than technologists—we strive to make ourselves well-rounded business leaders. This involves aligning our efforts with business objectives and collaborating with colleagues who are not experts in IT or security. In fact, Gartner’s research found that top-performing CISOs regularly meet with three times as many non-IT stakeholders as they do with IT personnel. The research highlighted the need for security leaders to establish partnerships with top executives in sales, finance, and marketing.
Building and maintaining these relationships requires situational awareness, business alignment, and persuasion. Below is a roadmap for achieving this.
Gain Situational Awareness
Understanding the state of the security program, projects, gaps, and successes takes thoughtful inquiries to colleagues on the security team and outside it. CISOs need to establish a dialogue with stakeholders and understand not only the current risks and technology-related concerns, but also business priorities, industry dynamics, and other non-technical matters that can affect cybersecurity. Asking the right questions, of the right people, and at the right time can do wonders for advancing security projects and developing trust across departments.
When entering a new situation or interacting with new participants, consider open-ended questions to understand the person’s state of mind and expertise. For example, asking, “What do you think?” will make it possible to cater the discussion to the other person’s concerns and use the terminology appropriate for the other party. For such interactions to gain results, listen to the other person and make sure they know they’re being heard.
When brainstorming creative solutions to security challenges, it’s often useful to communicate using words that include the other party in the situation. For example, starting the question with “How might we…” often reveals information and approaches that may not have been considered. Also, starting with gentler, less confrontational questions and gradually escalating the sensitivity will help to gain their buy-in and facilitate positive collaboration.
Demonstrate Business Alignment
Linking security strategies to business goals helps CISOs drive insightful conversations with non-IT stakeholders about the value the security program brings to the organization.
It’s no surprise that people outside the security team don’t think about security all day long. Instead, they focus on tasks and challenges directly related to their own jobs. To gain their support, understand their individual priorities and the organization’s overall business objectives. Then, determine how the company’s security efforts support these non-security initiatives and frame the discussions accordingly.
Take the time to understand the company’s vision for its future—for the current quarter, year, and beyond. Next, understand the objectives of the teams with which the security group seeks to collaborate. Review your planned security initiatives to determine how they support these goals. Such alignment will remind all of the program’s stakeholders that everyone’s efforts are contributing toward shared objectives that go beyond cybersecurity.
By aligning the security plans with shared business objectives, the CISO can establish themselves as a leader who creates value for the organization.
Practice Persuasion
Security leaders are often in the position to challenge assumptions made by colleagues about actions we might consider risky. For example, how might we express concern about onboarding a risky vendor in a constructive way? Pose a question in a way that causes the person to see the issue from the perspective of the CISO. Chris Voss, a former FBI negotiator, advises for CISOs to ask: “How am I supposed to do that?” In our scenario, the CISO can ask: “How can I support your request while safeguarding our data if the new vendor suffers a security breach?” By influencing the person to think about the security repercussions of the request, CISOs are likely to arrive at a solution that addresses the needs of both parties.
When requesting others to support the security team’s initiatives, anticipate disagreements and rejection. Keep in mind that when you hear “no,” it isn’t always an outright rejection. Instead, view such a response as a starting point for a discussion—ask questions to understand the reasons for “no,” and then respond by reframing the proposal using the methods outlined above.
Awareness, Alignment, Persuasion
Building relationships with stakeholders outside of the security organization requires understanding shared objectives and demonstrating alignment with them. To succeed with this, CISOs must gain situational awareness, understanding others' goals and roadblocks. This way we can more effectively collaborate. Asking the right questions and practicing and encouraging empathy helps persuade colleagues to support our security initiatives. These techniques help CISOs establish partnerships essential to our professional success and the success of our security programs.