A CISO’s guide to politics

If a CISO wishes to be effective in the world of cybersecurity, should they play politics? Politics is a dirty word, especially in current times. Fake news, alternate facts, divisive tactics and shouting matches later, we have a new President. So what lessons can a CISO learn from this nasty world of politics?

I sat down with Shanit Gupta, who has over a decade of experience in cybersecurity and developed his POV on politics as his career progressed. He is the head of TechOps at Carbon. Most recently, he was the vice president of security and reliability at Practice Fusion, a electronic health record system provider with over a million users. Previously he spent six years at McAfee as a principal security engineer. He has a Master’s degree in Information Networking from Carnegie Mellon University. Shanit recently gave a talk at ISACA, a professional organization’s Silicon Valley forum on politics and cybersecurity.

Adversaries aside, any CISO has a lot going on – technology, team, budgets and now the pressures from the board. Should politics and cybersecurity even be in the same sentence?

Shanit: The role of CISO is evolving fast and while everyone hates politics, we need to understand its positive side. Politics can be about grabbing power, playing divisive games to achieve selfish outcomes. But at its very core, politics is the process of decision making. Decisions made in a collaborative, professional manner lead to stronger outcomes – be it security teams or our democratic country.

If you are an autocratic CISO then yes – you are the process – you can pretty much do whatever you want. Most security teams and organizations want a process, not a dictatorship. And in any good process, there will be humans and emotions. There will be incomplete and inaccurate data. And our goal as security leaders is to learn to foster good decisions in such an environment. So in my view, a good CISO needs to learn the positive aspects of politics – this process of getting the best from everyone as we make decisions.

Why should a CISO even bother about politics?

I did not bother about politics till my moment of enlightenment came. My mentor sat me down and pointed out that the best CISOs are well aware of the people side of the business.

Our role is as much about technology as it is about people, process and decision making. If we choose the path of leadership, it is more about people. Attracting the best-in-class security, building cohesion and serving them well.

If I can build a great team, we can protect our company and serve our customers even better. Instead of petty in-fighting, we are fighting the real adversaries. So in my view, politics can help you benefit in two significant ways (a) you serve customers better and (b) you can serve your team well.

Good leaders understand politics is not about coalescing power or furthering your personal agenda. My historic view of politics was somewhat myopic – I equated it to what we saw on national stage. It was a sick, nauseating roller coaster and we wanted it to be over.

But what if I am comfortable with my machines? This whole people side is too messy.  Can I choose not to play this game at all?

Plato said that one of the penalties of not participating in politics is that you are governed by your inferiors.

How do I know if I am well-suited for leading people?

I’d simply imagine a room with a few people, grappling with a problem, trying to come up with a solution. If you want your idea to be chosen then you are an architect, not the leader. You will have to let someone else lead.

If you want to be the leader, you have to step back and facilitate the solution from the team of participants. You have to resist the temptation to offer solutions.

When it comes to managing security teams, what are your observations and experiences?

Actually, it’s much more than security teams – a CISO today needs to manage a team, build a budget, engage with MSSPs and stand in the boardroom. The budgeting process requires engagement from the CIO, CFO and at times, even the CEO. The board room dynamic requires support from the CEO and your board.

Establishing a common ideology brings people together. If there was one thing evident in this election, it was commitment to an ideology or a “party”. In the next phase, the real work begins. Now, if I need to get a budget or a bill passed I need support from various decision makers. I need to find a sponsor – someone who cares, who will be respected and heard.

To be efficient with these new CISO functions, I believe we have to get out of our comfort zone. We have to find individuals who are well-respected in the organization. Find ways to associate and work with them. Those who are well-respected can often have strong views. Not everyone will act like a team. Not everyone will treat you as a coach. Or go along with the chosen direction. This is by far the biggest test of a leader – to convert your challengers to your advocates. This is hard, almost impossible. CISOs who can do this will achieve exponential outcomes.

Any best practices in the politics of cybersecurity we should be aware of?
Three practices that have helped me include:

• Budgets matter, so does timing: If you want to budget for security, there are certain times during the fiscal year. Budget cycles are open so you can plan for the year. At times, an industry news attack can also open a short window.

• Track your competition: The last thing a CEO wants to hear is that they are falling behind the competition, especially in security. Watch how the competitors are building their security posture. If they are compromised, make sure you are protected from those same vulnerabilities.

• Avoid fear and negativity: Fear does not sell well. No one wants to be around nay sayers. Great organizations are not built by naysayers.