In this second blog in our series on the CISO’s view, we take a deeper dive into the world of the influence of the CISO. Based on a panel discussion held at the ClubCISO Cyber Celebration in December, I’m going to draw on their hints, tips and tricks for establishing better security practice and understanding through the art of persuasion.
Back in the mists of time, the great management thinker Peter Drucker coined the phrase “Culture eats strategy for breakfast”. What he meant was not that strategy is important, but the culture of an organisation always determines success regardless of how good your planning may be. Mike Tyson put it more crudely and perhaps more effectively: “Everyone has a plan until they get punched into the face.”
So, welcome to the world of today’s CISO, where you have to be part leader, part educator, part counsellor and part fire-fighter.
As the CISOs at the panel event told us, in a modern, fragmented and virtual organisation, it’s not enough to throw policies and technology at the growing number of security challenges. Instead, you have to build a sustainable security culture where everyone understands the importance of staying safe and protecting the operations of the business. The risk is not just technical; it has become human.
That’s why CISOs are finding some useful and powerful ways to motivate, empower and influence the people in their organisations.
Here are the top 10 pieces of advice direct from the CISOs’ live discussion:
1. Get to know your board and team when they aren’t under pressure. Human beings change their personalities under different situations and stress can exacerbate the extremes of character. But it doesn’t last and doesn’t represent the real person you are dealing with.
2. When dealing with the Board of your organisation, have a clear idea of their priorities and their agenda. They are unlikely to be technical, and the three things most businesses are interested in are making money, saving money and managing risk. CEOs are never going to speak your language, so try to speak theirs.
3. Boards love to know how well (or badly) you are doing compared to others. It’s a sort of industry paranoia. Try to have benchmarks for performance that compare your results to others. In short, know what “good” looks like and try to be better than others.
4. Be clear and set goalposts early. Boards hate surprises. And, if there are any grenades to be thrown into a meeting, then make sure you are doing the throwing. (But, be careful who you upset – see Mike Tyson quote above!)
5. Prepare your team for unusual meetings and curveball questions if they need to meet the wider business. Share your learnings and wisdom with them.
6. Never blame others and always have a solution. As one CISO said: “Solve problems; don’t point fingers”
7. Motivating your team is important, but can be really tough. This is especially so when more are working remotely, and rewards such as pay rises and bonuses may be harder to come by. It’s a cliche, but small things and acts of recognition can make a difference.
8. Don’t hold every video meeting as a group. Replace some of those team meetings with one-on-one video chats. Personal feedback and interaction is still important. And not everyone feels comfortable in a group situation on video.
9. Leadership means championing others when things go well and taking the blame yourself when things don’t. If you get that the wrong way round, then you are a politician, not a leader.
10. Try to have fun, but don’t force it from the top. Virtual games can work really well, in particular those that have been suggested and run by more junior members of your team. They are probably more creative than you anyway!