Cyber risk has now zoomed to the top of many board agendas. Corporate directors clearly understand that if they do not take decisive steps, their organizations could be the next victim of a debilitating cyber-attack, wiping shareholder value and leaving a lasting dent in their professional legacies. Yet, at the same time, several cyber leaders are still finding it challenging to fix toxic cyber resilient cultures. There are three common symptoms:
- Willy-nilly risk acceptance by senior business leaders, including obviously fixable high-risk control gaps; senior leaders are only forced to pay attention to a crisis.
- Executives barely show up at cyber governance committees. At best, they delegate cyber risk governance meetings to middle and junior managers.
- The Chief Information Security Officer (CISO) lacks organizational stature, and important cyber resilience messages continuously fall on deaf ears.
These issues frustrate cyber leaders, some of whom respond by leaning back and hoping that these entrenched issues will magically vanish. But based on our experience training cyber leaders from dozens of countries, there are five essential traits cyber leaders can master to drive positive change: Setting a realistic agenda, cultivating credibility, sharpening executive communication skills, being courageous, and mastering the art of influence. In short, we fix these issues by focusing on the person in the mirror, not complaining about external factors we have no power to alter.
Be ambitious, but be careful not to overpromise
First, you need to take a disciplined strategic approach to cyber resilience. This means working off an articulated cyber transformation roadmap, fully sponsored by the executive team, and supported by the board. Here, it's essential to strike the right balance between ambition and caution. If you deliver over and above your promises, your credibility is boosted. Attempting to boil the ocean is a common blunder among cyber leadership teams. Predictably, these exaggerated promises always come back to bite at a breathtaking speed. Creating beautiful strategy slides is the easy bit, but delivering new capabilities is a way different beast. Here are two examples to illustrate this common mistake:
- Excited by the new challenge, the CISO commits to encrypting large sets of databases within the next months, only to discover after the strategy has been endorsed that attempting to do so will break legacy platforms' functionality.
- A CISO spends months planning to secure core applications at a subsidiary company, only to find out that the business is planning to spin off the entity within the financial year. All that effort has now gone waste.
In sum, it’s always dangerous to promise a Ferrari and then deliver a Toyota Corolla.
Of course, no strategy is set in stone, but constantly going back to the board with revised targets or apologizing for “miscommunication” will send your credibility flying through the window. So, take time to understand where the business is headed, technical constraints, and your team's capabilities.
An essential part of strategic planning is understanding what can go wrong and making relevant provisions.
Deliberately cultivate your credibility
To paraphrase Steven Martin, writing for the Harvard Business Review, decision-makers often place less faith in what is said and more on who is saying it; it's the messenger who carries the sway, not necessarily the message itself.
Cyber leaders often complain that they have no access to the board, or their messages fall on deaf ears. But to thrive in any executive role, authority matters; cyber leadership is no exception. Business leaders will believe your story if you have a strong standing in the industry, and you are respected by your peers.
This has worked for me in profound ways. By rigorously pushing thought leadership articles, collaborating extensively with fellow cyber leaders, speaking at industry events, etc., the credibility I built externally naturally tricked down into my professional roles. Over time, my messages became more believable. I started to project a more assertive tone of confidence and got access to meetings I would otherwise not have been invited to. If the Chief Executive Officer (CEO) respects you, you will have access to the board; it’s as simple as that.
Sharpen business communication skills
Let us face it—cybersecurity is a highly technical and an expansive subject. No wonder that most senior business leaders find it too ambiguous and frustrating. Therefore, cyber leaders who master the art of persuasive communication will easily stand out. To thrive as a CISO, the ability to communicate persuasively and with impact is non-negotiable. Here are two useful strategies I have used:
- Link cyber resilience to strategic matters executives and directors care for: business growth, customer retention, capital raising, success in mergers and acquisitions, etc. Avoid high-flying technical jargon—can make you sound important but only harms your credibility. Most senior business leaders are not interested in how many spams you stopped but deeply care if a system that supports 40% of their revenue line is crippled by a ransomware attack with no offline backups.
- Avoid useless words and get straight to your point. As the legendary William Zinsser wrote, the secret of good writing is to strip every sentence to its cleanest form. Writing with clarity, brevity, and humanity takes time; there are no shortcuts here. The only way to improve your writing is to read a lot and write a lot.
Your role as a cyber leader is to empower business executives to make risk-informed decisions; you are not hired to accept risk. CISOs often run into situations where they feel pressured to downgrade a risk because the business is unwilling to act. It's essential to be courageous, be realistic about risk scenarios, and resist the pressure to sugar-coat situations. I call this “please now, suffer later" because if you downgrade a material risk to please stakeholders when the inevitable happens, your credibility will tank.
Master influence and persuasion
As most new cyber leaders have learned the hard way, the CISO role is more about navigating complex and entrenched political systems while engineering new solutions and fixing broken stuff. Without the right people on your side, your cyber transformation program is doomed from the start. So, how can you get this, right? Here are two practical strategies that have worked for me:
- Spend time at the formative stages developing a strong rapport with your key stakeholders— CEO, Chief Operations Officer, Product Development Executives, Chief Information Officer (CIO), Chief Customer Officer, Chief Marketing Officer, etc. Understand their key concerns and expectations and infuse their perspectives into your cyber resilience strategy. Once key executives feel included in the strategy setting, they are bound to support its execution.
- Be deliberate about internal networking through organizing regular catchups with critical stakeholders, such as the CIO, Chief Risk Officer, CEO, or Chief Financial Officer. Take time to listen to their fears and aspirations and connect with them at a deeper personal level. Equally important, organize one-on-one catchups with key members of leadership committees before you pitch your strategy, risk paper, or budget request. Most important decisions are made way before the meeting, not during governance meetings.
John Baldoni summed this much better than I could have done: “Credibility is a leader's coin of the realm. With it, she can lead people to the Promised Land; without it, she wanders in the desert of lost expectations. Once lost, it may be impossible to regain, and so the lesson to any manager who as any aspiration of achieving anything is to guard your credibility and take care you never lose it."
Learn more about the art of executive influencing from industry-leading CISOs.
The Cyber Leadership Program is an eight-week online program that gives cybersecurity professionals and CISOs the practical strategies and executive skills required to influence C-suite stakeholders and board members for impact.