Building rapport with upper management is challenging in the best of times. With a long list of wishes and constraints, a finite budget, and varying degrees of leadership support, CISOs shoulder the responsibility of relationship building at the highest levels of their organizations.
What happens when those relationships disappear and you're left having to justify a security strategy supported by your new boss’s predecessor?
Here, three security leaders share their hard-won wisdom on navigating new, evolving, and unexpected C-suite relationships.
Establish your base
The security leaders CSO spoke with for this article cite frequent and open communication as the number one factor in advancing and preserving their initiatives with new or changing management. Time and effort spent on developing strong relationships across various roles and parts of the business provides a ready source of support and validation when presenting plans to new leadership.
Michael McNeil, Sr. VP, Global CISO at McKesson Corporation, takes a holistic approach to relationship building, engaging in in-depth conversations with each member of the executive team, from the CEO, CFO, and general counsel to legal counsel and HR, among others. His goal: to understand their concerns and priorities. “In building those appropriate relationships and understanding throughout the organization, you really have to start at the top,” he says. From there he interviews the business unit leaders, external clients, and vendors, incorporating all of their feedback into the overall plan he presents to new, and even established management.
Michael McNeil, Sr. VP, Global CISO, McKesson CorporationLike McNeil, Rinki Sethi, VP and CISO at Twitter, relies on effective communication to establish a foundation of trust. “The success of a CISO and the ability to execute quickly relies on strong relationships and trust," Sethi says. "When joining a new organization or dealing with a new boss, take time to get to know people, understand their priorities and vision for the future.”
Sethi believes that one of the CISO's most important responsibilities is to continuously educate their organizations on security threats, current trends, and industry peers’ best practices—regardless of whether change or transformation is needed. By embracing a proactive approach to sharing information, she is able to remove mystery and doubt surrounding the CISO role and show new management that a strong baseline has already been established.
Strengthen your position
Educating stakeholders and frequently communicating insights, concerns, and solutions, leads to greater trust and acceptance of a CISO’s initiatives and goals throughout the organization. But you'll still need to make the case for your security strategy.
“It becomes very critical, from a success perspective, that the entire organization understands the importance of the initiatives and the program, as it helps with the sustainability of execution during leadership transitions,” McNeil says. "Now, that’s not to say that you are not going to still have to reposition for the new leadership the value propositions, ROI, and explain your current priorities, but you’re not alone in that positioning.” Having already spent time nurturing relationships and educating key stakeholders, McNeil is able to make his case with the support of key stakeholders throughout the business.
Sethi recommends that CISOs use industry and peer data to strengthen their positioning. When it comes to presenting to new management, she wants CISOs to be ready to point to risk-based and data driven insights that influenced their initiatives and goals. This provides context and facilitates understanding, as well as speedier buy-in on proposed initiatives. “Having industry benchmark data or even industry peers’ best practices in your back pocket can also provide helpful background on the development and fruition of strategies and goals,” she says. “Data, industry insights and internal and external champions can be invaluable in moving forward.”
Rinki Sethi, VP and CISO, TwitterSethi emphasizes the importance of clearly articulating risks, options to mitigate those risks, and the impact of putting initiatives on the back burner. “Bringing current events, breaches, and large reported incidents to attention, especially where those events may have been caused by a risk that is outstanding in your existing organization, could be eye-opening, helping to gather support and buy-in for proposals and initiatives,” she says.
McNeil adds that transparency is critical for building trust with new leadership. “You really need to have your foundation and understand what your assets are, the types of tools that you’re utilizing and where they’re being utilized most effectively,” he says. “That transparency allows you to build the appropriate roadmap and develop a value proposition on how to move from point A to point B. You can then establish a realistic timeline in order to execute against that particular roadmap.”
He points out that it’s not possible to snap your fingers and move on every initiative, but CISOs that have successfully aligned and built consensus with their stakeholders and leadership often get buy-in quickly.
Set a new course
Whether you’re new to the role or the relationship, encouraging growth and change often requires overcoming legacy. For Atlassian CISO Adrian Ludwig that means always being in a state of evaluation and reinvention. “We’re constantly facing changes to our teams, our products, and our customers and so we regularly need to reinvent our processes,” he says.
Adrian Ludwig, CISO, AtlassianLudwig believes taking such a proactive approach to transformation can help support the CISO agenda when it comes to presenting risk mitigation to new management. “We’ve had at least two to three people join our team each month since I started almost three years ago," Ludwig says. "I’ve met with each new person and I’ve issued them a challenge: Use the experience and fresh perspective you’re bringing into the role to find something that doesn’t seem right to you and respectfully challenge the person who knows the most about it. Let that person know you want to understand why we’re doing things the way we are, because it doesn’t seem right based on your expertise. In the discussion, the veteran employee may realize that we should be doing things differently. In either case, both the newcomer and the veteran will walk away with a fresh perspective and understanding of each other, and with confidence that one of our processes is as up to date as it needs to be.”
Empowering stakeholders to influence processes and initiatives in this way gives them a sense of ownership and reinforces a foundation of trust that translates into a stronger corporate culture. At the same time, existing processes that withstand challenges and are proven to work are likely to be embraced by incoming management teams.
“Prioritizing transparency and building trust within an organization, whether it be with stakeholders or executives, is critical for every security leader," Sethi adds. "When executives and stakeholders feel that they’re being heard and understand how security plays into the acceleration of their goals, they become champions of a security strategy.”