The role of the chief information security officer (CISO) has continuously evolved over the past few years. Effective CISOs have transformed into business leaders with a major say (and stake) in business strategy and priorities. CISOs need to be embedded in every department and at every level of the business. They need to be both on the ground and in the boardroom.
In theory, being everywhere, all the time, all at once, seems impossible. But, as a CISO with a track record of effectively managing risk in remote, in-person, and hybrid environments, I know that success is actually quite simple. So simple, in fact, that it’s tied to one key factor: trust.
Here are five essential trust-building actions CISOs must take to properly secure their organization.
1. Champion a risk management culture
CISOs, like most C-level leaders, have an extremely wide range of influence. We interact with people across the organization and at all levels, from the board of directors and executive team, to business unit leaders and operational staff, with incredible frequency. We also often connect with external entities, such as partners and customers. It’s important that CISOs view our close proximity to such a diverse range of individuals as a unique opportunity to influence the wider culture of an organization.
By encouraging your team and your peers to process decisions using a business risk-based approach you will help their chances of impact and success. Building upon that, they can leverage resources on-hand in a balanced way and optimize their contribution to delivering against the larger company vision. With a bit of guidance and conscious investment from yourself, your colleagues will approach their everyday decisions with critical intentionality that they didn’t have before — helping to prevent them from making critical mistakes and missteps.
Leveraging each interaction as an opportunity to educate and champion others, CISOs can build high-trust and high-value relationships across a business. Gradually, these individual investments and trust-building touchpoints will improve the overall security posture of your organization.
2. Communicate with clarity
A good CISO is a subject matter expert in security who understands how security frameworks impact business success and how to implement the processes needed to protect the organization. A great CISO disseminates their expertise, empowering people with a clear understanding of how they can play their part in securing the business against information security threats. But an outstanding CISO? They will bring observability and alignment around security to their colleagues, ensuring everyone is on the same page and in it together.
When you break corporate words like “observability” and “alignment” down, you get a simple and straightforward term: clarity. We all work better when we’re given clarity — clear instructions, reasoning, deadlines, and feedback. With clarity, we can make informed decisions, own our actions, and explain the “why” behind our work. Clarity breeds understanding, predictability, and certainty, thereby ensuring that we are operating with aligned expectations. This reduces the likelihood of confusion and conflict, thereby protecting trust.
Clarity is the cornerstone of trust and a critical investment for an outstanding CISO. Here’s what the approach to greater clarity looks like for security leaders:
- Identify critical processes with colleagues
- Identify their success criteria
- Work together to define key performance metrics that incorporate security
- Align on how these performance metrics play into key risk indicators
- Define clear thresholds for notification and alerting
3. Activate empathyWhen it comes to empathy, many leaders get stuck in the theory of it; it’s an oft-lauded leadership skill with direct ties to employee retention and business success. It’s easy to get caught up in talking about empathy’s benefits, and completely forget to act on it. But empathy without action is not a luxury security leaders can afford. Because empathy plays such an enormous role in trust, it’s much more than a theory to security leaders — it’s a critical variable of our success.
For the modern CISO, the key to successfully mitigating risk is to completely embed security throughout the enterprise. But before we can embed a security mindset in another business unit, we need to create connections, generate buy-in, and build trust with key stakeholders. We need to activate empathy.
The road to empathy starts with listening. Do you know what your business partner is going through at this exact moment? Maybe they just got reprimanded by a customer. Perhaps their supervisor just came down hard on their last deal size. Maybe they are going through a tough time at home. The point is, you never know what’s going on behind the scenes. That is, of course, unless you ask. It’s important CISOs understand what challenges (personal and professional) your business partner is facing, so we can make an informed decision on how to proceed.
Is this the right time for a conversation to happen? Is there another, more effective forum or approach? Catering conversations to the needs of our colleagues is critical to ensuring shared success.
Next, make an effort to understand the organizational model of the team you’re trying to engage. Is their organization operating at peak efficiency? Is their team set up to support their own success? Before a department can tackle security projects, it needs to be designed to support its own. Ask yourself: “How can I invest in my partner organization’s operational maturity to make them fit to handle security requests?” Help them help you.
CISOs have significant influence when it comes to business demands and decisions. It’s important we use this power for “good” — to leverage this influence to set up our business partners for success before our own. Once we understand a collaborator’s business needs, we can make more informed asks, setting them up for success when they are ready to tackle our challenges.
4. Prioritize growth mindset and agilityThis should come as no surprise. We are not always going to get our strategy or actions right. And I know that this is terrifying for a security leader to admit. But we have to afford ourselves the same empathy and understanding we give our colleagues and recognize that learning is all part of the job. Mistakes will be made. And we have to pivot — quickly — to assess and neutralize the mistake. And then pivot again — just as quickly — to assess when we learned and implement changes to our frameworks accordingly. Agility and a growth mindset demonstrate humility and strong intent for successful outcomes for our business partners, thereby building further trust.
It’s helpful to start your growth mindset journey with a simple consideration: what is our job really about? No, it’s not technical prowess. Most CISOs have a good technical understanding of security tools and processes, but at the end of the day, this knowledge is a baseline expectation. What our job comes down to is both holding the view of the massive span of a business (and its surface area) while also consistently bringing the question of “What can we do to optimize security today, and how can we do it better tomorrow?” Knowing that agility and evolution is a part of your daily routine makes the reality of constant change easier to swallow. And a lot more fun. Believe me.
5. Arm your team with trustWhen we talk about team management, it’s easy to put the burden of trust on your team. We need to trust that our team can execute, so we sometimes fixate on the idea that they need to build and maintain trust with us. But it’s important to remember that trust is a two-way street. And a key to operationalizing an effective security program is arming your team with trust in you: the security leader.
To get an accurate measure of trust in your leadership, you should take a look at team dynamics. A high-trust team will have zero hesitation in sharing an unpopular opinion and a high level of comfort in being open and vulnerable in meetings. They will be supportive, engaging, and creative. Meetings will be heavy with discussion and collaboration. Trust feels blameless. When something goes wrong, a team with a culture of trust focuses on what went wrong and how to engage moving forward. Feedback in a trusting environment is focused, collaborative, and safe. A capable team that has trust in you as a leader and trust in each other is well-prepared to manage and mitigate organizational risk.
If trust seems like it is trending low in your organization, don’t stress. Trust in your leadership is built over time, and is built on some of the tips I mentioned earlier, like clarity and direction. By establishing a core set of team values, and generating alignment in these values, leaders can build a shared sense of purpose and camaraderie (stepping stones on the road to trust).