You are a new Chief Information Security Officer (CISO) in the financial services industry. You are excited about the job but anxious due to the scale of the cyber threat from a range of actors: lone-wolf hackers, organized crime syndicates, governments and their proxies, and insiders. As you think through your game plan for addressing these threats, what’s your most important first step?
- A. Get the latest technology and management tools.
- B. Develop new, mandatory, IT security training for the company or client.
- C. Bring in consultants to advise you on the latest threats.
- D. Tighten protocols and increase penetration stress tests.
- E. None of the above
Unless you picked E you will end up as just another victim. Your company will be inadequately prepared to prevent a breach. Your team’s flat-footed response after the breach will result in major losses to the business. You will be the scapegoat.
When your back is against the wall and you have to prepare your team to deal with new and unprecedented threats, this is what you should do. It's the opposite of what every guru is preaching.
Your First Step: Build Trust. Up and Out; Down and In
Zero Trust is an important technology and cybersecurity precaution. No one should be granted total access to information.
A zero-trust approach to workplace relationships, however, is disastrous. When dealing with your people and teams and those you support, you need to earn Total Trust. You were hired because you seemed to be the best qualified person for the job, but that does not mean you are trusted by your CEO, peers or team.
Lack of total trust sets you up for failure:
- You will not make much headway on getting cybersecurity imbedded in the culture;
- You will not be invited to board meetings to discuss cybersecurity;
- You will have little interaction with the CEO;
- Your C-suite colleagues will try to poach your budget and client;
- You will be seen as an impediment to growth; a distraction from business;
- You will have high rates of employee burnout and turnover;
- Your team’s vigilance and responsiveness to threats will be unequal to the task.
Fortunately, you do not have to share in this fate.
When building trust, think 1) Up and Out and 2) Down and In.
Up and Out: It is tempting, particularly for leaders of highly technical teams whose missions are poorly understood across the company, to start building relationships from your silo – your comfort zone and point of view. This common approach is the fast track to poor communication and mistrust.
To build a trusting relationship with your boss and your peers, you have to meet them at their bus stop. That is, you must see things from their point of view, talk their language and understand their interests and concerns. They won’t trust you fully unless they know you “get it.”
How do you know that you are on the right track?
- You can “see yourself” and the business from their point of view.
- You discern how they view you and your team.
- You recognize their perceptions about how you affect their performance and the company overall.
- You understand the company’s vision, mission, goals and values and how you contribute to success.
Question: Can you explain all the above so clearly that it makes sense to a five-year-old? If not, you do not know it well enough.
Down and In. Build trust with your team. Trust is earned. It is not given because of your position.
Being trustworthy means being worthy of trust. This is most powerfully expressed in your competence and your character. Your team needs to believe that you can do the job, that your word is good, that you will treat each employee with respect and that you will be a good steward of your people, teams and organization.
How do you know that you are on the right track?
- You set clear performance and behavior expectations;
- You meet those expectations yourself;
- You hold everyone equally accountable – no favorites;
- People bring you bad news immediately without sugar coating;
- Employees provide you with candid feedback without fear of backlash;
- Your employees understand their mission clearly and how it relates to the mission and goals of the company.
Question: What have you done today to show your team that you are worthy of their trust and respect?
When you have total trust, your CEO and board want to hear what you have to say, your colleagues will see you are a partner, and your team will have higher rates of engagement and lower risk of burnout and turnover. Your company’s cybersecurity will be far stronger, too.