Security and Privacy: If You Want a Seat at the Table, You Have to Earn It

Photo by Melanie Ensign

I believe security and privacy perspectives are critical participants at the decision-making table, but that could be because I’ve seen the damaging financial, competitive, and regulatory consequences from inside companies who didn’t listen to their security or privacy advisors. Perhaps it’s because my role requires me to study and understand the attitudes of everyone outside an organization such as the SEC, the FTC, and customers — all of whom are demanding security and privacy play a bigger role in business leadership.

Yet, despite the advantages of having all your risk functions represented at the senior-most table, many security and privacy professionals are still a long way away from becoming welcomed and trusted advisors inside their organizations– and this prevents them from having a meaningful voice in strategic business discussions even if they’re at the table.  

Value over function

When security and privacy professionals argue that they deserve a seat at the table simply because of their function, they’re doing themselves a disservice. I learned this the hard way as a young corporate communications professional. External perception and reputation seemed like obvious perspectives to have in any discussion of material substance (particularly in the context of security or privacy); but in reality, most business executives only care about what helps them make better decisions and what makes them better leaders. I don’t fault them for this, that’s their job.

Most executives think they’re already good at communicating (even if they’re not!) and so simply being an expert in my functional area wasn’t enough. If the CTO already thinks they’re an expert in my field, they’re not going to pull out a chair for me unless I can offer something they value because business leaders listen to advisors whose perspectives they think they need. If they already think that security and privacy are merely a function of compliance checklists or government hand waving, they likely don’t think they need your perspective on anything more strategic. . 

Leaders listen to the advisors they think they need

We often hear the mantra that we can earn a seat at the table through the value we bring to the organization, but remember, value is in the eye of the beholder. Many of our clients come to Discernible because they’re seen by senior leadership only as “implementers”–people who can execute but aren’t seen as originators of significant insights. Some are seen as “tacticians,” which are essentially managers of implementers. These are critical roles for the success of an organization for sure, but they are not viewed as trusted advisors by senior leadership. How do you break out of that mold once you decide you no longer want to be seen as an implementer or tactician? 

  • Define your role and live it. If you view yourself and your role in limited terms, so will everyone else. Remember that we teach others how to treat us–and if you need more resources to scale a program that goes beyond compliance or bare minimum procurement requirements, then stop characterizing your work according to individual regulations. Leaders won’t trust your counsel beyond your functional area until they see you as a business problem solver.  

  • Use the business’s frame and vocabulary. Use sufficient business acumen to understand the dynamics, processes, and vocabulary of your industry and sector. Understand the dynamics of your organization that leads to or inhibit competitive advantage.

  • Give options with outcomes. Sound decisions are made based on outcomes, not personal preferences. The job of trusted advisors is to help leaders identify and strategize toward the best outcome or sometimes simply the least bad outcome. Instead of using language like “we should do x” or “we have to do y,” try offering 3 doable options with anticipated outcomes. For example, what will happen if we do nothing, what will happen if we do something modest, what will happen if we do something big? Now, deliver your insights in those predictions. Don’t forget to include unexpected consequences – those are predictable too!

Previous
Previous

Self-Inflicted Pain and Artificial Adversity in InfoSec

Next
Next

Risk Communications: Recognizing Turning Points and Managing Decisions