Home Features A CISO’s Guide to Managing Change and Politics

A CISO’s Guide to Managing Change and Politics

Board meeting, CISO, leadership

It seems that nearly all CISOs, regardless of whether they’re a transformational CISO or a steady-state CISO, currently are going through some kind of an uplift, transformation, or driving a major program (e.g., Zero Trust). While there are many challenges involved, it’s important to note that they are not technological. In fact, they are far from it – these challenges will be mostly organizational and political.

By Jinan Budge, Principal Analyst, Forrester

And yet most CISOs are not equipped to deal with this for several reasons. They are bombarded with tactical requests; they’re dealing with a security image that’s transcended the ages yet not everyone in the organization loves the security team, and will not always be welcoming to security initiatives; security professionals generally hate the idea of politics and avoid it at all costs; and change is difficult for many people. Because of these, many detractors come out of the woodwork when a CISO kicks off a new security program.

CISOs Need to Drive Change Using The 3 P’s: People. Process. Politics.

For CISOs to ensure the success of their security function and programs, they will need several qualities seldom discussed in the security industry: leadership, business insight, people skills, determination, pragmatism, and personal resilience. They can best navigate their way through organizations by paying attention to three crucial P’s: People. Process. Politics.

People: Supporters and Detractors 

The very best strategy in the world will go nowhere unless CISOs manage to execute it. In order to execute, they will need to convince stakeholders to undertake the journey with them, or at least support them in their respective journeys. Remember, everything comes down to human interactions, and human interaction is inherently complex and political.

Broadly speaking, stakeholders will fall into two camps: supporters and detractors. Each has its own set of needs, and like any other project, CISOs need to be methodical in their approach of engaging them. It’s not uncommon to see CISOs immediately resorting to reactive or one-off announcements about their strategy or program, typically acting too late. This only serves to fuel detractors and doesn’t give stakeholders the chance to support CISOs. Experience also indicates there’s a lot of fear of engagement, typically because no one likes criticism. Yet CISOs can achieve much more favorable and faster results if they follow these simple, yet often missed steps:

  • Understanding exactly who their key players are: Identify who needs to be on board with the strategy and role they assume in the approval, delivery, and maintenance of the plan.
  • Preparing the ground and socializing their strategy: Plant the seed of the need of the change, understand what each stakeholder needs and what they’re concerned about, and have socialization conversations one stakeholder at a time.
  • Listening and turning criticisms into a solution: You will improve your chances of influencing and convincing your stakeholders if you listen more than you talk.

Politics: Be ethical and maintain integrity to achieve great opportunity 

We as human beings tend to shy away from politics for good reasons, the most obvious one being because of what we see on television in our politicians. Typically, we equate elements of their rhetoric with backstabbing. But that is not in fact how senior leaders see politics – they see it as their greatest opportunity to really listen, really understand what people are saying, and persuade and build influence.  When CISOs listen, they have several advantages such as really hearing what the concerns of the stakeholder are and how to overcome them.  CISOs can then build a coalition of the willing for their strategy. By being transparent, CISOs are also building their reputation as a visible leader rather than a back-office operator.

Process: Utilize your persuasion and influence toolkit 

The conversation about politics, influence, and persuasion is not one that is discussed often in security. To the uninitiated, it may even sound like some high-level concept. Some might even confuse it with “begging on your knees.” Yet, CISOs can follow a thorough process with each of their stakeholders. This is professional political maneuvering at its finest that can absolutely be done with ethics, finesse and integrity. Follow these tools:

  • Collective Momentum: Socialize the security vision, strategy and change program and build momentum. When you finally present the vision, the CISO can list the engaged sponsors.
  • Authority: There’s nothing like influence from the top down. If the CEO believes in something, most of the time, the organization falls into line.
  • Mutual Exchange: If a CISO aids a potential sponsor over and above what’s required, they build goodwill. They may be able to use that later.
  • Scarcity: CISOs can use time or resource limits (such as regulatory deadlines or vendor discounts) to create urgency.
  • Foresight: CISOs need to keep their sponsors briefed and be transparent about all situations, positive and negative.
  • Relationship: CISOs need to build a positive relationship with the key players ahead of time, so that this relationship can influence the response.

CISOs Need to Decide Their Type and Flex Their Leadership Muscles Accordingly

CISOs should ask themselves how much of their current success is a result of their technical knowledge, and how much is the result of their ability to collaborate and persuade. Better still, they should do some self-reflection and decide the type of CISO they want to be. Currently, six types of security leaders exist: Transformational CISO, Post-Breach CISO, Tactical/Operational Expert CISO, Compliance and Risk Guru, Steady State CISO, and Customer-facing Evangelist.

Regardless of CISO type, CISOs will need to manage change, deal with politics and people. By doing this mindfully and understanding the type of CISO they are, CISOs can find their perfect organizational culture, be clear on which type background and characteristics serve best, know when to exit a toxic environment, plan for their future, be prepared for upcoming challenges, and build a positive, high performing team that reflects their type.

Additionally, they will execute security programs and likely deal with stakeholders at some level. This will require them to prioritize their role as a leader, and this involves them having to sharpen leadership skills, especially those that are unfamiliar. To help them do that, they should find mentors, executive coaches or mentors, as well as build a positive, high-performing team that reflects their CISO type. They will also need to manage their mental health to avoid burnout. Depending on respective CISO type, they should also seriously consider building their communication and public speaking skills.

And they should always remember, being political does not mean backstabbing, and change happens all the time, everywhere, whether they notice it or not. This leaves the CISO with a simple choice: help to drive change forward or simply follow change as it occurs.

About the Author

Jinan Budge, Principal Analyst, Forrester Jinan is an experienced leader serving security and risk professionals who specializes in transformational change and building sustainable cybersecurity, digital, and information risk management capabilities. Jinan has delivered outstanding results using strategic and innovative thinking in the cybersecurity field — building, standing up, and delivering significant cyber transformation strategies across the public and private sectors. Jinan’s research centers on building transformational and effective security programs by focusing and communicating the business issues and value of security to organizations and executives.

Views expressed in this article are personal. CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.