Not Just Security: CISOs are Business Executives
Earning legitimacy with your team and your board as a security leader
Years ago, Discernible was engaged by the CISO of a large security organization to repair the reputation of their team among both technical and non-technical partners, and restore their credibility and influence within the company. Unfortunately, the CISO’s predecessor took an adversarial approach to work with other business functions and soured relationships that the security team needed to succeed.
Once we took inventory of how the security team and their partners felt about each other and their shared responsibilities, we got to work building a proactive communication program for teaching the security team the strategy and execution skills required for rebuilding trust with their peers at every level of the organization. Every member of the team had a role to play in turning aspirations of influence into a reality in order to move meaningful security work forward.
Yet, the most important factor in their success was the commitment and credibility of the CISO who understood that their job wasn’t to dictate security policy or controls on the business, but to empower their team with the resources and relationships needed to effectively solve security problems that propelled the business.
CISO: Chief Influencer for Security Outcomes
Late last year, we published a blog post from Dr. Anthony Vance, Director of Pamplin Integrated Security at the Pamplin College of Business at Virginia Tech, about his team’s research on behaviors that inhibit or facilitate a CISO’s legitimacy in the eyes of the board and C- suite executives.
A few weeks ago, Harvard Business Review published an article from Harvard Business School professor Nitin Nohria entitled “How New CEOs Establish Legitimacy.” The article underscored some of the same themes and opportunities that Dr. Vance’s research uncovered related to how CISOs earn and keep legitimacy – and also emphasizes a point made by one of our advisors, Glenn Thorpe, in his recent blog post: security decisions are business decisions.
It’s not surprising to see this convergence, but it is still exciting to see. As security becomes a bigger priority for business leaders (or if we want to make it one), the CISO role has to be performed as a business executive position, not a “smartest security expert in the room” position. In fact, establishing legitimacy is critical for any business leader because it’s the most sustainable and effective in the long run.
“Authority alone provides a limited license to lead. We listen to those in authority because we’re required to do so; authority motivates via a follow-the-rules mechanism that will never encourage someone to go above-and-beyond the call of duty.” - Nitin Nohria
You may already be familiar with authority-based leadership, a formal power with decision-making rights (usually associated with a job title), or competence-based leadership, which is focused on performance. However, as Nohria explains in his article, legitimacy-based leadership is based on behaviors and actions that inspire others’ trust, respect, and commitment – which makes it more sustainable and effective in the long run.
Both the Harvard Business Review article on CEO legitimacy and Dr. Vance’s research on CISO legitimacy emphasize the importance of an effective communication strategy and execution in earning and maintaining legitimacy as security leaders.
Learn the Business
Research findings from the team at Virginia Tech found that with increased legitimacy comes increased support and collaboration. Through hundreds of hours of interviews, they found this process requires CISOs to proactively engage with business leaders as the primary driver to demonstrate they are a legitimate partner. The researchers observed that proactive communication with board members is a common pattern among more successful CISOs.
Dr. Vance’s team also discovered how important it is for CISO communications to show that they understand the company’s business priorities, a theme echoed by the research from Harvard.
Teach the Business to Your Team
Nohria’s research in business leadership aligns with decades of communication research showing that compelling narratives help employees understand where the organization is coming from and where it is going – and they’re drawn to leaders who can talk about that vision with accurate, honest, and clear direction.
“It helps even more,” Nohria writes, “if the leader can clearly explain how the organization needs to adapt to critical external changes to win and each employee’s role in contributing to the organization's success.”
Nohria is writing about CEOs here, but if there was ever an overarching vision for how a CISO should think about their personal communication and that of their team with everyone from board members to colleagues across all business functions, this is it.
You might think this would already be a prerequisite for becoming a CISO. It’s not (yet), but it’s certainly a good indicator of how successful someone will be in the role. CISOs need to be able to influence people who don’t report to them.
If you’re interested in learning more about our communication coaching and influence training for current and aspiring security leaders, let us know.