Cyber risk has skyrocketed to the top of most corporate profiles, pushed by a variety of factors, chiefly among them: seemingly unstoppable high-impact cyber-attacks, increased personal liability on corporate directors, as well as insistent lobbying by investors, shareholders, customers, and business partners.
Today, cyber resilience is considered an essential aspect of doing business, materially impacting regulatory compliance, business growth ambitions, success in mergers and acquisitions, brand perception, cost of capital, and every critical aspect of the business value chain.
From our experience on the cyber leadership frontline and collaboration with cyber leaders from dozens of countries that go through our intensive Cyber Leadership Program (CLP), an essential and enduring lesson has emerged: Success in cyber leadership is less about technical prowess but the ability to deftly navigate entrenched political systems and enlist the buy-in of highly influential individuals, some of whom may not like the Chief Information Security Officer (CISO).
Although CISOs may sit at the top of the cyber hierarchy, rolling out important transformation programs depends on their ability to persuade executives and the board. In the absence of critical soft skills, their mission crashes during take-off. Effective stakeholder management is the cornerstone of cyber leadership.
Many cyber leaders, however, rise through the ranks from technical engineering and operational roles and often have their roots in technology, not leadership, thus rendering them woefully unprepared to yield significant influence.
This article discusses some simple yet powerful strategies to manage your stakeholders effectively.
A New Obstacle in Stakeholder Management
Stakeholders and the board are increasingly seeking insight into cybersecurity issues and their business implications. Back in 2015, PwC’s Annual Corporate Directors Survey revealed that 65% of public company directors wanted additional time and focus on IT risks like cybersecurity. Fast forward to 2022, and the PwC Annual Corporate Directors survey revealed that more than 90% of directors were confident in their cybersecurity defenses. While this is progress, the study states that high confidence levels in the boardroom could spell trouble for CISOs as companies risk relying on assumptions and exposing themselves to risk.
The ISACA State of Cybersecurity 2022 report also revealed 21% of respondents consider leadership buy-in as an obstacle to conducting cybersecurity risk assessments.
It is increasingly crucial for CISOs to effectively manage stakeholders to ensure the success of their cyber transformation programs. This requires stakeholder assessment, education, and persuasion.
Conduct A Thorough Stakeholder Assessment
First and foremost, a CISO must know where to devote their time. Stakeholders decide how and where to allocate resources and funding; however, not all stakeholders are created equal. A stakeholder mapping technique to plot stakeholder significance according to their influence and interest is useful to maximize limited time and cultivate a deliberate networking plan. The result of this analysis is the classic four-quadrant map, as shown in Figure 1.
This most important group wields significant authority and has skin in the game. In short, no consequential decision is made without their consent. Understanding the needs and perspectives of the high-influence/high-interest quadrant early and infusing these into the cyber transformation plan will strengthen organizational cybersecurity. Spend time at the formative stages of your executive role developing a strong rapport with your most critical stakeholders. Active management of these stakeholders is crucial and entails one-on-one meetings, email updates, social events, and debriefing on key papers before presenting them to committees. Furthermore, finding some mutual personal interests—such as sports, books, or personal stories—can also help deepen your connection with stakeholders. In short, do your best to keep this group satisfied.
At the top left sits the high-influence but low-interest stakeholders. This group is often not actively engaged in the program’s nuances but wields enormous influence on the cyber leader’s success. A good example is the internal audit team, whose views about your cyber resilience posture have the attention of the board audit committee. As you engage with this group, you might discover potential candidates to shift to the top right quadrant. For instance, if you operate in an industry where the license to operate is underpinned by compliance with strict data protection laws, then it might be worthwhile to engage your regulators or auditors proactively. You might discover that some stakeholders initially plotted in the top right quadrant are not that interested in the program in the same vein. So, you push the left and focus on nurturing a small set of strategic decision-makers.
At the bottom right quadrant are highly interested stakeholders who do not possess as much influence as the top right stakeholders. A good example is the enterprise architecture team, whose work is significantly impacted by security decisions but may not possess the same influence as the CIO. It is essential to keep this group informed. You must, however, be careful not to confuse rank with influence.
Low-Influence /Low-Interest Stakeholders
Lastly, there is the low-interest and low-influence segment, such as information technology (IT) support and administration teams. You can keep this group informed and engage at a deeper level when the need arises.
Identify And Manage Potential Detractors
Succeeding in this high-pressure CISO role is not merely about getting key decision-makers or power brokers on your side—it is equally important to know the potential detractors and proactively manage them. Left unchecked, the pressure from powerful detractors may get so intense that it derails the cyber leader’s mission. The first step in managing potential detractors is to identify who they are and then closely watch them. Managing difficult stakeholders is not for the impatient and short-tempered. It is important to remember that staying calm under pressure and actively listening to discern the root cause of their frustrations are proven tools to disempower hostile stakeholders. Just by being friendly and patient, you can melt down most of your stakeholders who are hostile to your project. A proven method to turn a detractor into a supporter is to develop relationships with their closest allies and then win their hearts indirectly through their close associates.
Top Recommendations To Effectively Manage Stakeholders
1. Acknowledge the Past but Focus on the Future.
A common and dangerous trap we see at the Cyber Leadership Institute is new CISOs who attempt to delete the past and swiftly forge forward with the new plan. Unless the role is a completely green field, you may not need to define an entirely new strategy. An unnecessary change of direction may incense stakeholders who had thrown themselves entirely behind the previous strategy. To avoid this common miscalculation, CISOs must acknowledge the work done by predecessors, deliberately and carefully assess the lay of the land, and know what should be left unchanged. For instance, you can use the first slide of your strategy deck to portray critical initiatives already delivered and positive aspects of the organizational culture that will support rapid cyber resilience transformation.
Getting this right requires these cyber leaders to slow down their pace and rigorously engage with internal and external stakeholders. This way, they will also be able to accelerate their learning curve, know where their predecessors went wrong, and maximize their chances of success.
2. Don’t Attempt to Boil the Ocean
To maximize your chances of success, you must take a disciplined, strategic approach to cyber resilience by working on an articulated cyber transformation roadmap fully sponsored by the executive team and supported by the board. Here, it is essential to strike the right balance between ambition and caution. Delivering over and above your promises boosts your credibility, while conversely, exaggerated promises will always come back to bite you. Take time to understand where the business is headed, its technical constraints, and your team’s capabilities. An essential part of strategic planning is understanding what can go wrong and making relevant provisions.
3. Sharpen Business Communication Skills
Let’s face it—cybersecurity is a highly technical and expansive subject. ISACA’s State of Cybersecurity 2022 report reveals that just 67% of board members feel well-versed in cybersecurity to discuss it with their CISO, which could explain why only half of those surveyed regularly meet with their CISO.
The ambiguity and highly technical jargon used in cyber reporting are most frustrating for business leaders. Therefore, cyber leaders who master the art of persuasive communication will easily stand out. To thrive as a CISO, the ability to communicate persuasively and with impact is necessary. Because you are competing for the board and C-suite’s limited time, you must deliberately communicate cyber risk information in a way that is easy to understand.
If cyber leaders want highly engaged stakeholders and boards, they need to simplify the message, discard technical jargon, and speak in the language of the business. Board members have limited time. Avoid complex reports and vain metrics that don’t explain anything useful. Effective CISOs are able to seamlessly tie cyber risk to new product success, business growth, the cost of capital, innovation, customer trust, profitability, and other crucial business priorities. That way, they can create a shared sense of purpose and position cyber risk as a strategic business enabler, not a necessary evil.
CISOs have a responsibility to utilize every second of their time with stakeholders. Ensuring adequate prioritization and funding for cybersecurity requires:
- Linking cyber risk to corporate objectives through developing an in-depth understanding of business operations, value chain, strategic priorities, risk appetite and regulatory environment.
- Sharpening story-telling skills and simplifying cyber risk in business terms to persuade the board and executive management to act. Most senior business leaders are not interested in how much spam you stopped but care if a system that supports 40% of their revenue line is crippled by a ransomware attack with no offline backups.
- Providing useful reporting to the board. Less than 50% of respondents in the 2022 PwC Annual Corporate Directors survey reported being very comfortable that adequate reporting on cybersecurity metrics were being given to the board. Cyber leaders must steer clear of technical jargon and devote time to compiling clear, concise reports in the language of the business. The article Ten Powerful Strategies To Uplift Board Reports explores this further.
- Tying the strategic cybersecurity initiatives to corporate values—something bigger than you, your team, or other individuals. For example, a CISO successfully convinced product development teams to train developers in secure coding because shipping safe products to consumers aligned with the firm’s value of “always doing what is right, not what is easy.”
4. Be A Courageous Leader
Your role as a cyber leader is to empower business executives to make risk-informed decisions—you are not hired to accept risk. Cyber leaders often run into situations where they feel pressured to downgrade a risk because the business is unwilling to act. You must stay strong in the face of undue pressure, be realistic about risk scenarios, and never sugar coat situations. This is called “please now, suffer later” because if you downgrade a material risk to please stakeholders and then the inevitable happens, your credibility will tank.
Effective leadership includes role modelling, active participation in cyber drills and holding managers accountable for maintaining robust cybersecurity controls. It also requires business leaders to embed cybersecurity into vital business processes, such as product development or acquisitions.
For so long, we have advocated for greater business visibility and influence. But we also need to play our part, particularly by articulating this crucial business risk in ways the business can understand and relate to.
Remember that job titles don’t necessarily equate to influence. Spend time with your boss and understand who the critical power brokers are—individuals able to persuade essential executives or the board. Your success as a cyber leader certainly depends on many factors, but your ability to persuade and influence key stakeholders is most important. Getting this right is more than 50% of the battle.
CISO Playbook: Stakeholder Management, Influence, and Persuasion - Ten highly effective techniques cyber leaders can deploy to enlist the unwavering support of senior executives and the board
Throughout this playbook, you will find practical guidelines to identify and implement effective cyber governance strategies to develop a highly focused cyber resilient organization.
Please add your details below to download the CISO Playbook: Stakeholder Management, Influence, and Persuasion - Ten highly effective techniques cyber leaders can deploy to enlist the unwavering support of senior executives and the board and sign up for Free membership of the Cyber Leadership Institute.