- Use Cases
The role of the CISO is evolving at a faster pace than ever before. Today, security leaders are often viewed as business enablers instead of simply risk or compliance managers.
In fact, by 2024, 60% of CISOs will establish critical partnerships with key executives in sales, finance and marketing — up from less than 20% today, according to Gartner.
What’s more, top performing CISOs are already regularly meeting with three times as many non-IT stakeholders as they do with their IT counterparts, Gartner found.
The research outfit also notes that two-thirds of these top performers meet at least once per month with business unit leaders (45% meet with the head of marketing, and 30% meet with the head of sales)
So, what does this tell us?
That — while CISOs have historically built solid relationships with their IT counterparts — they need to equally focus on building alliances with business leaders outside of IT. And, according to the research from Gartner, that’ll need to remain a focus in the coming years. That’s because collaborating with partners from across the organization is essential to creating a more secure organization.
But what do building and maintaining those relationships really mean — and how do security leaders do that?
To find out the answer, I reached out to our own CISO and SANS Faculty Fellow, Lenny Zeltser.
“You need to influence, build relationships, and understand what's important to others, and then frame your own objectives on their terms.” — Lenny Zeltser
The CISO role has become more multifaceted and critical than ever before. The modern security leader is nurturing an environment that inspires other business units to consider security implications in their decision making.
These CISOs understand that technology and the risks to data security are no longer just limited to an organization’s IT department. Instead, they view leaders from different business units — heads of sales, marketing, finance, and more — as key partners in building a strong security culture.
“It used to be that a CISO could be a technologist .... but now they are expected to be a business executive,” Lenny said. “And CISOs who are operating within a bubble may be less effective than those who are actively building internal partnerships. To succeed at this, we need to become business-aligned CISOs.”
So, how can CISOs ensure they make their interactions with non-IT stakeholders more meaningful?
Business alignment begins by understanding leadership’s vision for the future of your company. From there, security leaders should ensure their programs’ goals are in-sync with business goals, Lenny explained.
Linking security strategies to business goals helps CISOs drive insightful conversations with non-IT stakeholders about the value the security program brings to the organization.
This approach is also instrumental in securing budget requests and planning for security advancements.
Another key aspect of business-aligned security leaders? Instead of focusing on tech and threat-centric conversations, business-aligned security leaders speak in terms that others in the organization understand, Lenny told me.
“All functions within the business have their own objectives and metrics, but they're all doing things to support broader organizational goals,” Lenny explained. “For a business-aligned security organization, goals become areas where they can find commonalities and can drive better engagement with other business unit leaders.”
CISOs aren’t usually in a position to simply dictate what others outside of their security team should be doing, Lenny reminded. Instead, embedding security priorities into company culture takes regular communication and collaboration with other departments.
“To be persuasive, it is important to get the other person to understand your perspective,” Lenny said. “But it’s just as important to be mindful that these stakeholders all have their own agendas.”
This is where empathy comes in.
It’s a key enabler for driving meaningful relationships and conversations with people from across the organization. Being cognizant of the goals, priorities, and hurdles of other teams within the business — and understanding and prioritizing what they find valuable and worth protecting — makes conversations with non-IT stakeholders more meaningful and effective.
It’s equally important to be responsive, pay attention, and use inclusive language when driving these conversations, Lenny added.
The security team provides oversight, guidance, and leadership related to security. But it can’t directly control the day-to-day actions and decisions of the individuals outside the security team, Lenny said.
How can the security team increase the chances that people throughout the company take security into account when making routine decisions or embarking on new projects?
“One approach is to work with leaders throughout the company to formally include some security metrics or objectives in their quarterly or yearly goals,” Lenny suggested.
“People are influenced by the incentives that the company creates to drive the desired behavior. Formally including security considerations in the plans of non-security stakeholders makes people throughout the organization accountable for their decisions,” he explained. “This helps avoid treating security and risk as the considerations that exist solely within the confines of the security team.”